The 21st Century Public Company Audit Conceptual Elements of KPMG’s Global Audit Methodology

Timothy B. Bell Mark E. Peecher Ira Solomon AUDIT

The 21st Century Public Company Audit Conceptual Elements of KPMG’s Global Audit Methodology

By Timothy B. Bell A Mark E. Peecher Ira Solomon Foreword by Stuart Campbell and Michael Hughes

© 2005 KPMG International. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG International provides no services to clients. Each member firm of KPMG International is a legally distinct and separate entity and each describes itself as such. All rights reserved. Printed in the U.S.A. KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent firms operating under the KPMG name. KPMG International provides no audit or other client services. Such services are provided solely by member firms of KPMG International (including sublicensees and subsidiaries) in their respective geographic areas. KPMG International and its member firms are legally distinct and separate entities. They are not and nothing contained herein shall be construed to place these entities in the relationship of parents, subsidiaries, agents, partners, or joint venturers. No member firm has any authority (actual, apparent, implied, or otherwise) to obligate or bind KPMG International or any other member firm, nor does KPMG International have any such authority to obligate or bind any member firm, in any manner whatsoever. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. This monograph does not exhaustively cover the policies and procedures comprising KPMG’s audit process, nor does it cover how KPMG’s audit process comports with applicable auditing standards.

Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .i Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .iii Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Evolution of the Risk-Assessment Orientation in Auditing . . . . . . . . . . .7 Evidence-Driven, Belief-Based Risk Assessment . . . . . . . . . . . . . . . . . .17 Triangulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Overview of KPMG’s Global Audit Methodology . . . . . . . . . . . . . . . . .39 Planning Risk Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Control Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 Risk Assessments During Substantive Testing and Completion . . . . . . .59 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Appendix: Legend of Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71 About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79

Footnotes may be sourced to the references at the end of this document. For ease of exposition, we use acronyms throughout this monograph to represent key terms that are repeated. To assist the reader, the Appendix is a legend of these acronyms.

Foreword By Stuart Campbell and Michael Hughes

Thought leadership in auditing is a deeply embedded tradition at KPMG. From innovations on new audit risk assessment frameworks to programs that support scholarly activities like the Research Opportunities in Auditing program and the KPMG and University of Illinois Business Measurement Case Development and Research Program, KPMG has supported new developments in auditing practice, education, and research in a variety of ways. Today, at a time when thought leadership is more critical than ever, KPMG has produced this book in collaboration with two scholars in the academic community. We have done so to provide audit professionals, business managers and directors, regulators and standard-setters, scholars, and accounting students with a resource that discusses conceptual underpinnings of risk assessment, evidence gathering, and other professional judgment activities that are pervasive in 21st century public company audits. The ideas in this book should be of interest to all serious audit thinkers. Professionals who internalize the concepts presented in this book should improve their self-insight into the nature of their work and the fundamental drivers of high audit quality. In turn, a keen understanding of these concepts can lead to improved implementation of audit methods and techniques. Regulators and standard-setters also may find the concepts and related discussions in this book to be helpful as they strive to improve the authoritative guidance. In addition, auditing educators and scholars are likely to find this book to be a valuable vehicle for reflecting, conducting research, and educating their students on core auditing concepts. The concepts and discussions in this book, a sequel to the book Auditing Organizations Through a Strategic-Systems Lens (published by KPMG in 1997), emphasize the nature and import of professional judgment in audit risk assessment and the value of obtaining audit evidence from multiple sources using multiple approaches (what the authors call triangulation). The authors propose triangulation as a strategy for improving the auditors’ judgment and decision-making processes and management of detection risk, and hence, the quality of the audit. Finally, the book’s concepts highlight the enduring, if not increasing, value of professional skepticism.

– i –

The book most insightfully calls for auditors to be skeptical not only of management and of evidence but also of their own judgment processes. We believe that this discussion of core concepts underpinning today’s public company audit provides valuable new insights about the fundamental determinants of audit quality and, therefore, can help the profession determine new ways to enhance audit quality as it faces new challenges in the 21st century.

Stuart Campbell National Managing Partner

Michael Hughes Global Managing Partner

Audit & Advisory Services Center KPMG LLP

Global Audit KPMG International

– ii –

Preface

Recent times indeed have been most interesting for those of us anywhere in the world who have made the study and/or practice of public company auditing our life’s work. Thought leaders and regulators from across the globe are contemplating or already have introduced new legislation, regulations, and/or authoritative auditing guidance that, collectively, represent some of the most significant reforms in 70 years for public company auditing. In the United States, various sections of the Sarbanes-Oxley Act of 2002 have triggered new responsibilities and accountabilities for corporate governors, birthed a new regulatory agency to oversee public company auditing, and mandated new standards that target auditing of internal control over financial reporting for public companies. Internationally, there has been a flurry of new auditing standards. Developments continue as we write; the pace of change continues to be significant. There are many ways in which one can think about the meaning of these unprecedented changes. To us they primarily mean the following: Society’s expectations and demands for high-quality auditing—auditing that improves financial reporting quality and that helps prevent and detect financial statement fraud—are being articulated, in a most punctuated manner, via these new institutions, regulations, and authoritative guidance. The emergence of new institutions, regulations, and authoritative guidance clearly raises the bar with respect to minimum standards of audit quality. Society’s expectations and demands from the audit profession, however, are for leadership in setting the bar and, as appropriate, continuing to raise the bar for the quality of public company auditing. Our thirst for continuous improvement in audit quality is the raision d’etre for this monograph. The ideas in this monograph unfold in layers. A macro-view of them, however, is that 21st century public company auditors undertake a professional judgment and decision-making journey. This journey ubiquitously involves and culminates in risk assessments that stem from well-justified beliefs. To arrive at well-justified beliefs, auditors acquire evidence of and from different fundamental sources. Auditors acquire evidence that is relatively difficult for the entity’s management to distort and that provides insight about significant economic events and circumstances relevant to the entity’s financial reporting. This evidence complements evidence that manage-

– iii –

ment can more readily distort and provides important insights about whether the entity’s management has captured, transformed, and represented such economic events and circumstances fairly within the entity’s financial statements, in accordance with applicable financial reporting frameworks. These ideas have significant implications for various aspects of public company auditing, including the notion of professional skepticism, how auditors should frame evidence planning and acquisition issues, and how auditors treat the entire audit as recursive risk assessment. We envision five audiences for this monograph: practitioners, regulators and standard-setters, business managers and directors, scholars, and students. While we hope that the ideas communicated in this monograph help to improve the quality of public company auditing, even greater potential for continuous improvement will follow if others critique, refine, conduct research about, and expand on these ideas. If this monograph serves as a catalyst for such conversation and dialogue, it will have served its primary purpose. We would like to acknowledge the helpful comments on earlier drafts of this monograph from Frederick Neumann (University of Illinois at Urbana-Champaign); Ken Trotman (University of New South Wales); Mike Conway (retired partner), Craig Crawford, and Scott Showalter (KPMG’s Department of Professional Practice); and Stephen Bligh, Stuart Campbell, Marty Finegan, Ted Horne, Simon Marti, Shane O’Connor, Arne Stratmann, and Digby Wirtz (KPMG’s Audit & Advisory Services Center). Special thanks go to Ram Menon (KPMG LLP) and Shu Yeh (National Taiwan University), who contributed to early discussions on issues pertaining to the subject matter, and to Mike Tolpa (KPMG LLP), who worked closely with us on the acquisition, development, and interpretation of background materials on KPMG’s Global Audit Methodology, and helped us to improve our articulation of concepts.

Timothy B. Bell KPMG LLP Mark E. Peecher University of Illinois at Urbana-Champaign Ira Solomon University of Illinois at Urbana-Champaign

– iv –

Chapter 1

Introduction

The NASDAQ market index reached its all-time high in March of 2000 and then began a precipitous slide. Shortly thereafter signs of an economic downturn became unmistakable. As has been the case many times before, when the economy turned down, indications of business improprieties came to light. Some of the alleged improprieties were of enormous scale, appeared to involve the highest levels of business management, and were perpetrated or facilitated, at least in part, by materially misstated financial statements. Quickly, the cry went out—Where were the auditors? One of the Big Raising the Audit Quality Bar Five firms, Arthur Andersen LLP, From the IAASB Action Plan 2003–2004, was the auditor of record for several International Auditing and Assurance of these high-profile cases, including Standards Board Enron and WorldCom. A firm that The business environment is subject to continhistorically had enjoyed a reputation uous change. Recent changes in the business for being tough, competent, and environment have included the effects of globhonest, Andersen was charged with alization and technology, the increasing use of judgment and estimates in the preparation of several crimes, convicted of obstructfinancial statements and significantly increased ing justice, and ultimately had to pressures that may lead to fraudulent financial discontinue its operations.1, 2 reporting.

Recent corporate failures have undermined the public’s confidence in the governance of public companies and raised concerns about the quality of their published financial information and the credibility of their reported earnings. These have also led to questions as to the effectiveness of audits and the integrity of the audit process and emphasized the key role of high-quality auditing standards.

Sweeping standard-setting and regulatory changes followed these and related events. The International Auditing and Assurance Standards Board (IAASB) developed an ambitious action plan and issued several new International Standards on Auditing (ISAs). Some of the new ISAs expand minimum requirements for auditors’ understanding of the

1

See Squires et al. [2003], p. 25.

2

Other than the voluntary closing of Laventhal & Horwath, no large auditing firm besides Andersen has discontinued operations in the United States in modern times. On May 31, 2005, the U.S. Supreme Court announced its unanimous decision to reverse the 2002 criminal conviction of Andersen.

– 1 –

Raising the Audit Quality Bar From Donald T. Nicolaisen, “In the Public Interest: A Conversation with the Chief Accountant of the SEC,” Journal of Accountancy, January 2005 I’d start by saying that the accounting profession does matter. It matters immensely to the investor community and to society—and that puts tremendous responsibility on its members. Second, the profession needs to continue to right itself in the eyes of the investors and address not just the issues of yesterday or today, but those of tomorrow. I think that journey has begun, but we still have much to do.

entity’s business and industry, evaluation of the effectiveness of its internal controls, and assessments of risk of material misstatement (RMM), detection risk (DR), and, thus, the interrelated components of audit risk (AUR) for both error and fraud.3 Other new ISAs address auditors’ responsibility to design and perform additional procedures that are responsive to preliminary assessments of RMM. Still other ISAs address auditors’ assessment and management of DR through timely, effective audit quality control.4

Third, I’d say focus on quality. Understand what you’re doing, why you are doing it and to whom it’s important. Be relentless in paying attention to your piece of the responsibility. Recognize that it is yours, and no one else’s.

The U.S. Congress passed and President Bush signed into law the Corporate and Auditing Accountability, Responsibility, and Transparency Act of 2002, commonly called the Sarbanes-Oxley (SOX) Act. SOX contains numerous provisions intended to enhance public company financial reporting and thereby elevate investors’ confidence. SOX also created the Public Company Accounting Oversight Board (PCAOB) and vested in it a broad array of authorities and responsibilities, including standard setting for audits of public companies. 3

Audit risk (i.e., AUR) is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. AUR is described as a function of the risk of material misstatement (i.e., RMM, the risk that the financial statements are materially misstated prior to the audit) and detection risk (i.e., DR, the risk that the auditor will not detect misstatements that could be material individually or when aggregated with other misstatements). Further, two components of RMM are identified, inherent risk and control risk. Inherent risk is the susceptibility of an assertion to misstatement, that could be material, individually or when aggregated with other misstatements, assuming there were no related internal controls. Control risk is the risk that a misstatement that could occur in an assertion and that could be material, individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity’s internal controls (see, e.g., Glossary of Terms included in the IAASB Handbook of International Auditing, Assurance, and Ethics Pronouncements 2005 Edition).

4

See IAASB Handbook of International Auditing, Assurance, and Ethic Pronouncements 2005 Edition: ISA 315, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement; ISA 240, The Auditor’s Responsibility to Consider Fraud in an Audit of Financial Statements; ISA 330, The Auditor’s Procedures in Response to Assessed Risks; International Standard on Quality Control 1 (ISQC 1), Quality Control for Firms That Perform Audits and Reviews of Historical Financial Information, and Other Assurance and Related Services Engagements; and ISA 220, Quality Control for Audits of Historical Financial Information. Also, the IAASB recently issued for public comment an exposure draft that: . . . introduces requirements for greater rigor and skepticism into the audit of accounting estimates, including the auditor’s consideration of possible management bias (see Proposed International Standard on Auditing 540 (Revised), Auditing Accounting Estimates and Related Disclosures (Other than Those Involving Fair Value Measurements and Disclosures) [2004]).

– 2 –

By June 2004, the PCAOB had issued three new audit standards (ASs).5 AS1 emphasizes the PCAOB’s standard-setting authority for audits of U.S. public companies. For example, it requires that audit reports refer to standards of the PCAOB (United States) rather than to generally accepted auditing standards. AS2 addresses a new dual-opinion integrated audit for public companies in the United States and establishes requirements and provides direction when an auditor is engaged to audit both a company’s financial statements and management’s assessment of the effectiveness of internal control over financial reporting. An audit of internal control over financial reporting requires the auditor to assess the risk of material weakness (RMW) based on considerable evidence.6 AS3 increases minimum standards for the documentation auditors must prepare and retain in connection with an audit of financial statements, an audit of internal control over financial reporting, and a review of interim financial information. In addition to issuing new standards, the PCAOB established an intensive registered audit firm inspection program. While it is difficult to predict the ultimate impact of these recent developments, one matter already is abundantly clear. Global regulators and standard-setters intend to raise the audit quality bar by improving auditing standards and monitoring the quality and integrity of auditors’ and audit firm practices. We, therefore, find the auditing profession midway through the first decade of the 21st century with a new regulatory structure and other new institutional features that reflect an unprecedented demand and accountability for high-quality audits. The challenge now facing the audit profession is to determine the audit methods and techniques, audit evidence, individual auditor and audit firm protocols, and other qualitycontrol mechanisms that will address this heightened demand and accountability. In this monograph, we present concepts germane to this challenge within the context of 21st century public company auditing. We also illustrate how the concepts can be implemented by providing an overview of KPMG’s Global Audit Methodology. Central to our discussion, and as depicted in Figure 1.1, these concepts rest on the view that a public company’s financial reporting process begins with selected entity business states (EBS) that are transformed by management information intermedi5

See AS1, References in Auditors’ Reports to the Standards of the Public Company Accounting Oversight Board; AS2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements; and AS3, Audit Documentation.

6

AS2 indicates that auditors should express an opinion on management’s assertions related to their internal assessments of the effectiveness of internal control over financial reporting. It also stipulates that, to render such an opinion, the auditor should: (1) obtain reasonable assurance about whether, in all material respects and as of the date of management’s assessment, the entity maintained effective internal control over financial reporting (i.e., that no material weaknesses exist) and (2) audit the entity’s financial statements. A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected (also see AS2 for definitions of control deficiency and significant deficiency.)

– 3 –

Figure 1.1: The Financial Reporting Process Culminates in Representations of Entity Business States Internal Control Suppliers

Customers

(Including Internal Control Automated Over Financial Reporting) Processes

General Purpose F/S

Audited Entity Alliance Partners

Competitors

Regulators

Capital Markets

Entity Business States

Applicable Reporting Framework

Manual Processes

Management Information Intermediaries

Journals & Ledgers

MD&A

Management Business Representations

aries (MII) into management business representations (MBR).7 Thus, the financial reporting process culminates in management business representations (MBR) of selected EBS.8 Applying this characterization to today’s public company audit, one primary objective is to obtain reasonable assurance about whether, in all material respects, financial statement portrayals of selected EBS (part of MBR) correspond to applicable financial reporting frameworks (part of MII).9 In some jurisdictions, another primary objective is to obtain reasonable assurance about whether, in all material respects, the entity maintained effective internal control over financial reporting (another part of MII) as of the date of management’s assessment of such controls. Evidence obtained in relation to these two primary objectives can be mutually reinforcing. For example, when obtaining assurance about internal control effectiveness as of the date of management’s assessment, the auditor also may obtain assurance that internal controls were effective throughout a reporting period and 7

EBS are the business strategies, conditions, and processes and economic actions/events and relationships with other entities that pertain to the audited entity and its economic web. MII are transforming information intermediaries such as applicable financial reporting and internal control frameworks (including oversight by corporate governors), computer networks and information systems, documentation (e.g., invoices), as well as people and policies. MBR are management’s representations of selected EBS within accounting journals or ledgers, conference calls, financial statements (including footnotes), interviews, MD&A, presentations, and press releases. There are different, overlapping categories of EBS: MII transform selected EBS to produce financial statements, MII transform other selected EBS to facilitate strategic and resource-allocation decisions or to monitor operations, and still other EBS may be transformed by other entities or persons, while some elements of EBS may remain unknown.

8

Because people and entities influence current and future EBS, the term states within EBS differs from states of nature as used in decision theory (Savage [1954]).

9

Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users (See Silvoso, et al. [1973], A Statement of Basic Auditing Concepts (ASOBAC), Studies in Accounting Research No. 6).

– 4 –

consider reducing the assessed risk that management’s financial statement representations of selected EBS do not correspond, in all material respects, with applicable financial reporting frameworks. Thinking about the financial reporting process and the public company audit in this fashion and considering the auditor’s responsibility to provide reasonable assurance (which, according to the current authoritative guidance is a high, but not absolute, level of assurance) for detection of material misstatements due to fraud, helps the 21st century auditor, corporate governors, and other interested parties to understand why, to restore confidence in public companies’ financial reporting, it would be prudent to:10 • Obtain sufficient, appropriate evidence of and from EBS, MII, and MBR—as each of these constitute fundamental sources of evidence possessing unique strengths and weaknesses. Throughout this monograph, we use the term triangulation to describe the strategy and act of acquiring and evaluating complementary evidence of and from these three sources. • Recognize that some EBS-based evidence is distinctive in its ability to address society’s demand for improved fraud risk assessment and detection since, if fraud were to exist, all evidence controllable by management may well contain similar distortions. And, management will find it more difficult to distort some EBSbased evidence compared with either MII- or MBR-based evidence.11 • Rely on such triangulated evidence to establish a basis for developing and revising sufficiently well-justified beliefs about the effectiveness of internal control over financial reporting and the correspondence of financial statements with applicable financial reporting frameworks. • Draw on these well-justified beliefs, throughout the audit, to enhance assessments of RMW and components of AUR. During the audit, auditors engage in a recursive process of evidence-driven, belief-based risk assessment that helps them identify additional evidence useful in ultimately reducing DR to acceptably low levels.12 10

The Glossary of Terms included in the IAASB Handbook of International Auditing, Assurance, and Ethics Pronouncements 2005 Edition, p. 143, notes that reasonable assurance (in the context of an audit engagement) is a high, but not absolute, level of assurance, expressed positively in the auditor’s report as reasonable assurance, that the information subject to audit is free of material misstatement.

11

Auditors’ strategy to pursue relatively direct evidence of and from EBS is, in part, a response to what ASOBAC characterizes as a pervasive problem of indirect evidence in financial statement auditing. ASOBAC indicates that, although the economic events of interest are the entity’s transactions and operating events, auditors often must rely on evidence removed from transactions and operating events (i.e., the auditor must rely on relatively indirect evidence). An additional consideration is that evidence that is more direct may be less susceptible to manipulation by management. The more evidence that is directly of and from EBS and the more independent it is of management’s influence, the more persuasive it usually is thought to be (Mautz and Sharaf [1961]).

12

All audit procedures capable of yielding audit evidence are risk assessment procedures regardless of whether auditors complete them during planning, control evaluation, substantive testing, or completion. Also, by recursive, we mean the process is repeated until the auditor has amassed sufficient, appropriate evidence that, in turn, enables sufficiently welljustified beliefs by which the auditor assesses that achieved DR is sufficiently low to support issuance of an audit opinion.

– 5 –

In the next two chapters we lay the groundwork for extended discussion of triangulation in Chapter Four. In Chapter Two, we discuss the emergence and evolution of the audit risk-assessment orientation during the 20th and 21st centuries. In Chapter Three, we characterize the integrated audit process as a recursive process involving evidence-driven, belief-based assessments of RMW, RMM, and DR. We develop this conceptualization of the integrated audit process predominantly within the context of the financial statement audit. While the concepts presented herein also should be applicable to the U.S. PCAOB’s integrated audit performed in accordance with AS2, the two conceptualizations differ. For example, our conceptualization does not address SOX requirements dealing with management’s assessment of the operating effectiveness of internal control over financial reporting, or the number of audit opinions issued on a public company audit. These matters pertain to efforts by law makers and regulator/standard setters to strengthen accountabilities. Rather, our conceptualization focuses on the classification, definition, and unique properties of fundamental sources of evidence, and the role and import of obtaining and integrating these mutually-reinforcing sources of evidence to develop well-justified beliefs during the recursive financial-statement audit risk assessment process. In Chapter Four, we extend our discussion on triangulation and present several interrelated reasons why auditors’ evidence-driven, belief-based risk assessments generally should be based on triangulated evidence. Then, in Chapters Five through Eight, we illustrate how these concepts can be applied within the workflow associated with KPMG’s Global Audit Methodology. We present concluding remarks in Chapter Nine, including discussion of the need for research on determinants of high-quality public company auditing in the 21st century.

– 6 –

Chapter Two

Evolution of the RiskAssessment Orientation in Auditing In this chapter we present a brief overview of the evolution of the risk-assessment orientation in auditing during the 20th century and discuss implications of these changes for modern-day auditing concepts and practices. By considering why and how audit objectives and techniques have changed over time, recurring systemic issues and trends become apparent. Enhanced awareness of these issues and trends makes it easier to understand the evolving conceptual foundation upon which the contemporary practice of auditing rests, and can, we believe, facilitate practicing auditors’ development and implementation of strategies for attaining the high level of quality expected from a 21st century public company audit. 20th Century Changes in Audit Objectives and Techniques

Figure 2.1 on page 8 identifies selected changes in audit objectives and techniques during the 20th century as well as selected 21st century changes, some of which are expected and others that already have occurred (see the blue rectangle). The figure also associates these evolving objectives and techniques with precipitating events, some of which occurred decades ago while others only recently occurred. Note, first, that at the outset of the 20th century there was a rise in absentee ownership of corporations. As a result, the overarching objective of the audit changed from a check on the internal consistency of the accounting records (i.e., to detect and deter bookkeeper and employee misappropriation and error) to an assessment of the fairness of financial reports provided to outside capital providers. In addition, many business organizations already had become so large that the cost of the detailed audit became prohibitive. One auditor response was to evaluate clients’ systems of internal check, a precursor to today’s internal control (Cushing et al. [1995]), and to perform selective tests of details when warranted. For example, as Dicksee’s Auditing noted in 1905: A proper system of internal check [will] frequently obviate the necessity of a detailed audit.13

13

Quote from Brown, R. G. [1962].

– 7 –

When a reliable system of internal check existed, early 20th century auditors conducted fewer detailed tests, thereby revising their audit approaches based on perceived variations in what U.S. public company auditors today would call internal control over financial reporting and, implicitly, on assessments of RMM. The riskassessment orientation, therefore, has been present in financial statement auditing for at least 100 years. Over time, auditors modified the concept of internal check, eventually creating today’s widely accepted internal control frameworks (e.g., COSO and CoCo).14 Following SOX section 404 and PCAOB AS2, management’s assessment of the effectiveness of internal control over financial reporting has today become the focus of a mandatory audit for public companies in the United States. Figure 2.1: Evolution of the Risk-Assessment Orientation for Public Company Auditing SAS No. 39 Audit Sampling

Audit Risk Model (ARM) Appears in SAP No. 54

OwnerManager Era

Rise of Publicly Financed Corporation

Ancient – Late 1800s

Early 1900s

Focus on employee fraud

Fairness of financial reporting

Fairness of financial reporting; risk assessment model formalized (RMM)

Detailed testing of evidence from MBR

Selective detailed testing of evidence from MBR

Analytical procedures emerge to partially compensate for selective detailed testing from MBR

Not much evidence from MII

Selective evidence from MII

Use MII evidence as cost-effective

Not much evidence from EBS

Not much evidence from EBS

Securities Acts of ‘33 & ‘34; McKessonRobbins Case

1930s

1970s

Equity Funding S&L Crisis

SAS No. 47 Audit Risk Model SAS No. 53 Responsibility to Detect Errors and Irregularities

1980s

COSO & CoCo Emergence of StrategicSystems Auditing to Strengthen Control of Non-Sampling Risk SAS No. 82 Consideration of Fraud

Enron; WorldCom; Parmalat SAS No. 99 Consideration of Fraud SOX/PCAOB IAASB Issues ISAs That Institutionalize the SSA Emphasis on EBS

Mid – Late 1990s

21st Century

Fairness of financial reporting; RMM; fraud responsibility made transparent

Public Company audits focus on RMW and RMM; clarify reasonable assurance, for both fraud and error detection, equates to a high level of assurance

Growth in use of evidence from EBS to target MBR evidence; complex analytical procedures

Triangulation of complementary evidence from EBS, MII, and MBR; growth in forensic audit procedures

Overarching Audit Objectives Fairness of financial reporting; RMM; “test basis” emphasized; fraud responsibility opaque

MBR Evidence Growth in analytical procedures; some selective detailed testing of evidence from MBR

MII Evidence

New emphasis on EBS (e.g., observe INV and confirm A/R)

Internal control becomes target of attest in U.S. setting

EBS Evidence

Growth in EBS as evidence itself and as attention-directing for MII and MBR

Continued growth in EBS as evidence itself and as attention-directing for MII and MBR evidence. EBS value increases due to fraud detection responsibilities

Increasing Business & Accounting Complexities

As Figure 2.1 highlights, there have been a number of other developments in the risk-assessment orientation (see, e.g., Mock and Vertinsky [1985]). In particular, audit objectives have evolved, especially with respect to the nature and clarity of auditors’ responsibilities to consider fraudulent financial reporting when assessing 14

COSO refers to a publication of the Committee of Sponsoring Organizations of the Treadway Commission entitled Internal Control-Integrated Framework. CoCo refers to a publication of the Canadian Institute of Chartered Accountants entitled Criteria of Control.

– 8 –

RMW and RMM, and when planning the acquisition of evidence to reduce DR to an acceptably low level in response to the preliminary assessment of the risk of material misstatement due to fraud (e.g., SASs 16, 53, 82, and 99). In response to evolving audit objectives, there have been changes in the nature and amount of evidence obtained from EBS, MII, and MBR, as well as the audit techniques used to acquire such evidence. In the 1930s the McKesson-Robbins case, for example, which involved management’s intentional overstatement of material amounts of inventory and receivables, prompted regulatory intervention and, ultimately, the widespread adoption by the profession of greater EBS-based evidence acquisition through inventory observation and independent confirmation of receivables.15 One of the most significant developments in the risk-assessment orientation occurred in the 1970s, with the emergence of the audit risk model (ARM) in U.S. authoritative guidance. The ARM decomposes audit risk into three compensatory components: inherent risk, control risk, and detection risk.16 The compensatory form of the ARM implies that lower risk in any one component of audit risk will offset higher risk in the combination of other components. For example, if an auditor were to assess control risk as high, the auditor could reduce the planned level of detection risk, elevate substantive testing accordingly, and still achieve the targeted level of overall audit risk. As auditors relied on the ARM as a planning tool, selective detailed testing and application of analytical procedures became firmly entrenched in auditing practice.17 Related, the auditing profession explicated (in authoritative guidance) a set of five assertions: existence or occurrence, completeness, rights and obligations, valuation or allocation, and presentation and disclosure. These assertions constitute representations made by management about the entity’s financial position, financial performance, and other attributes of the business (i.e., they are components of MBR).18 Audit firms developed procedures over time to assess components of audit risk and to test 15

The SEC’s original investigation notes: “For many years accountants have in regularly applied procedures gone outside the records to establish the actual existence of assets and liabilities by physical inspection or independent confirmation. There are many ways in which this can be extended. Particularly, it is our opinion that…inspection of inventories and confirmation of receivables, which, prior to our hearings, had been considered optional steps, should…be accepted as normal auditing procedures….” (Brief [1982], p. 11-12, italics added).

16

In the United States, the ARM first was presented in equation form in 1972 in an appendix to Statement on Auditing Procedure (SAP) No. 54 entitled Precision and Reliability for Statistical Sampling in Auditing. The Auditing Standards Board later included a similar equation in an appendix to U.S. Statement on Auditing Standards (SAS) No. 39 on Audit Sampling. Therein, detection risk is decomposed into analytical procedures risk and tests of details risk—the two primary classes of substantive tests applicable at the assertions level. While prominent, the ARM has been subjected to much criticism (see, e.g., Cushing and Loebbecke [1983] and Kinney [1989]).

17

For more discussion of the evolution of analytical procedures see, e.g., Biggs, Mock, and Watson [1989] and Trotman [1990].

18

ISA 500 presents separate groups of assertions for classes of transactions and for account balances, consistent with prior treatment of assertions.

– 9 –

for misstatement in specific assertions (e.g., physical examination of a tangible asset provides evidence of its existence; confirmation of an account receivable provides evidence of the existence of a customer’s financial obligation to the entity and of the accuracy of the recorded obligation). Also, audit firms expended considerable effort to advance audit procedures applied in conjunction with substantive statistical sampling methods.19 One consequence of the development of statistical sampling was that auditors partitioned DR into sampling risk and non-sampling risk. According to international authoritative guidance, sampling risk arises from the possibility that an auditor’s conclusion, based on a sample may be different from the conclusion reached if the entire population were subjected to the same audit procedure. NonFrom Montgomery’s Auditing, sampling risk, on the other hand, 10th Edition [1985] arises from factors that cause the Analyses of past alleged audit failures indicate auditor to reach an erroneous that such non-sampling risk factors as failure to conclusion for any reason not related understand business situations or risks, errors to the size of the sample (ISA glosin interpreting accounting principles, mistakes sary of terms, emphasis added). in interpreting and implementing standards, and misstatements caused by client fraud are among the most significant audit risk factors and sources of auditor liability.

Despite the importance of nonsampling risk,20 U.S. authoritative guidance does not explicitly represent it in the ARM, suggesting instead that such risk can be reduced to a negligible level through appropriate planning, supervision and quality control mechanisms (see, e.g., AU§350.11, AU§350.48 on Audit Sampling and AU§312.27 on Audit Risk and Materiality). One source of non-sampling risk is the possibility that auditors’ belief formation and revision in response to sufficient, appropriate audit evidence may be faulty, resulting in poor assessment(s) of any component of audit risk (i.e., inherent risk (IR), control risk 19

During the 1980s some firms, including Peat Marwick, Mitchell & Co., developed and implemented a suite of sophisticated mathematical tools. Research studies had documented considerable variation in auditors’ judgments on audit scope for the same hypothetical audit client. Auditors used these then state-of-the-art statistical sampling and mathematical decision aids to help make difficult audit judgments, including judgments about audit scope, planning materiality, evaluations of internal control and assessment of control risk, and judgments about sample sizes for tests of details. See, for example, Robert K. Elliott, “Unique Audit Methods: Peat Marwick International,” Auditing: A Journal of Practice & Theory [Spring, 1983, pp. 1-22]. Cushing and Loebbecke’s study entitled Comparison of Audit Methodologies of Large Accounting Firms [AAA, 1986] reports that Peat Marwick, Mitchell & Co.’s audit methodology was one of the most highly structured among the largest firms. The high level of structure was an attempt to reduce variation across audits and thereby promote consistently high audit quality.

20

In our view, given today’s complex business environment as well as the subjectivity both featured in applicable financial reporting frameworks and associated with the assessment of audit risk components, non-sampling risk is a significant, if not the major, source of DR. Further, the auditor cannot accurately assess and manage sampling risk (e.g., determine a sufficient sample size and draw implications from sample findings to the population of interest) unless he or she properly assesses and manages non-sampling risk.

– 10 –

(CR), RMM, and DR, including sampling risk). Other sources of non-sampling risk are misinterpretation or misapplication of accounting principles and auditing standards, failure to obtain an understanding of the entity and its environment sufficient for assessing the components of AUR, and failure to obtain sufficient, appropriate audit evidence when responding to preliminary assessments of such components. Studies conducted by auditing scholars and by auditing firms indicate that inadequate control of non-sampling risk is associated with undetected material misstatements (especially fraudulent financial reporting).21 While carefully executed audits can, in concept, reduce non-sampling risk to negligible levels, reduction of nonsampling risk in practice is a complex and challenging task. Rather than conjecture about any of the numerous contemporary alleged audit failures to illusFrom Houghton and Fogarty’s Study trate the benefits of heightened on “Inherent Risk” [1991] attention to non-sampling risk (e.g., The profession’s historic view of inherent risk is Tyco, WorldCom), we note that such reflected in SAS No. 39, Audit Sampling. This benefits also are apparent from statement chose to ignore inherent risk in deteraudits conducted during the late mining audit scope for purposes of determining 1980s, when the United States expesample sizes because it was believed to be diffirienced a savings and loan crisis. cult and potentially costly to quantify…. Inherent risk analysis, while used intuitively by most auditors during the audit planning process, was not formally incorporated into the firm’s audit literature…. [I]nherent risks exist irrespective of controls. Therefore, a search for controls does not identify such risks.

Illustrative of how non-sampling risk can contribute to an alleged audit failure, auditors of Lincoln Savings & Loan (LSL) had tested the transactions that regulators and courts ultimately deemed to be materially misstated. Nevertheless, the design and/or implementation of audit procedures and/or the auditors’ belief revision based on the various test results apparently did not lead to detection of the misstatements. Greater attention to acquiring certain evidence of and from EBS in the LSL audit may have enabled the auditor to realize that management’s assertions were too good to be true.22, 23 As we discuss in greater detail in Chapter 21

Neither U.S. nor international authoritative guidance explicitly recognizes the impact of mis-specified assessments of RMM on achieved detection risk. International guidance, however, recently has expanded minimum requirements for assessments of RMM (see ISA 315), and does elaborate on how non-sampling risk factors prevent DR from being driven down to zero and how proper planning, staff assignment, review, and supervision as well as professional skepticism help the auditor to address non-sampling risk factors (see ISA 200, paragraph 22).

22

See, e.g., Erickson et al. [2000].

23

Shibano [1990] observes that the decision-theoretic approach underlying the algebraic ARM in U.S. authoritative guidance does not formally incorporate the possibility that management may attempt to deceive the auditor. As he notes, with the increased responsibility of auditors to provide reasonable assurance of detecting intentional misstatements, the profession needs a testing theory explicitly incorporating intentional misstatements…. Variants of strategic-testing theory, which lever behavioral game theory, arguably better address the implications of strategic members of management who may engage in intentional misstatement (also see, e.g., Zimbelman and Waller [1999]).

– 11 –

Four, auditors obtain a sufficient understanding of the entity’s business and its environment to help them identify and gather additional evidence of and from EBS, MII, and MBR that, in turn, helps them develop better-justified beliefs and improved risk assessments. Interestingly, instead of advocating that the auditor generally acquire considerable complementary evidence of and from all three fundamental sources—EBS, MII, and MBR—the ARM effectively offers the following evidence-acquisition frame—How can the auditor trade off one type of evidence for another? 24 In our view, a more appropriate evidence-acquisition frame for the 21st century public company audit is—How can the auditor best lever all three complementary sources of evidence to develop sufficiently well-justified beliefs and risk assessments? Consistent with the latter view, today’s international authoritative guidance (e.g., ISA 315) requires the auditor to obtain an understanding of EBS, MII, and MBR sufficient to identify and assess RMM and sufficient to design and perform further audit procedures. The 21st century public company auditor, accordingly, does not rely exclusively on evidence of and from MII and MBR, or singularly on either source of evidence when obtaining reasonable assurance about the correspondence of the entity’s financial-statement portrayals of selected EBS to applicable financial reporting frameworks or when obtaining reasonable assurance about the effectiveness of the entity’s internal control over financial reporting. Instead, the auditor interprets and strengthens evidence of and from MII and MBR in light of acquired evidence of and from EBS. More generally, the auditor understands that evidence of and from all three sources—EBS, MII, and MBR—can be diagnostic of any one or a combination of the risks relevant to a public company audit, with their collective power increasing when auditors treat the three sources as complements. Summarizing to this point, our overview of the evolution of the risk-assessment orientation during the 20th century highlights several important systemic issues and trends. For example, at several key junctures throughout the century, corporate business failures accompanied by fraudulent financial reporting prompted the profession 24

An extreme form of this frame is the so-called purely substantive audit—one in which the auditor sets inherent and control risks at maximum and acquires minimally acceptable evidence of and from EBS and MII for the purpose of planning the extent of substantive testing. Such an audit historically has been permissible in the United States. SAS 47, paragraph 29, states: If an auditor concludes that the effort required to assess inherent risk for an assertion would exceed the potential reduction in the extent of auditing procedures derived from such an assessment, the auditor should assess inherent risk as being at the maximum when designing auditing procedures. Paragraph 30 states, If the auditor believes that evaluating their [controls] effectiveness would be inefficient, he or she would assess control risk for that assertion at the maximum. In 2000, the Panel on Audit Effectiveness in the United States commented on this propensity: Since 1984, auditors have been required to follow SAS No. 47; in other words, they have been required to employ the audit risk model. Notwithstanding this requirement, anecdotal and other evidence indicates that many (but by no means all) audits continued to be performed using substantive testing approaches with little or no attention paid to the results of the risk assessments called for by the model. This phenomenon perhaps is facilitated by the fact that the model permits “defaulting” to an assumption that risks are at a maximum level (Panel on Audit Effectiveness, Report and Recommendations (Stamford, CT, Public Oversight Board, August 31, 2000).

– 12 –

to develop more effective techniques for assessing RMM due to fraud. Typically, these techniques were directed at improving the auditors’ control of non-sampling risk, and, as such, involved auditors’ obtaining more evidence of and from EBS to strengthen their business understanding and better corroborate evidence obtained from MII and MBR. A prominent early example is the profession’s widespread adoption of confirmation techniques. A more recent example is analytical procedures developed from the auditor’s understanding of the entity and its environment. Second, with the ever-increasing size of business organizations, and ever-more complex business processes and information systems, auditors continued to evolve methods for assessing RMW and RMM, including control evaluation frameworks and methods, analytical review techniques, and statistical sampling methods. For example, by the late 1980s, performing analytical procedures during the planning and final review phases of the audit had become generally accepted audit requirements. The ARM and formal definitions of assertions-based audit objectives had been developed to assist auditors with planning the nature and extent of substantive testing. And, by the beginning of the 21st century, comprehensive internal control frameworks such as COSO and CoCo had become widely adopted by the profession as guidance for auditors’ assessments of RMW and RMM. Risk Assessment and Audit Quality in the 21st Century

We now turn to more recent changes in auditing objectives and techniques identified in Figure 2.1. These changes largely represent heightened efforts to more effectively manage non-sampling risk. During the second half of the 1990s, KPMG developed its Business Measurement Process (BMP)—a version of what has become known as Strategic-Systems Auditing (SSA).25 SSA and BMP embrace the notion that, to reduce non-sampling risk to an appropriately low level, and thereby enhance audit quality, auditors usually will obtain considerable evidence of and from EBS.26 SSA and BMP further note that, like MII- and MBR-based evidence, EBS-based evidence has intrinsic limitations and tells only part of the story about components of audit risk; thus, EBSbased evidence alone is not sufficient evidence for assessments of components of 25

The KPMG monograph Auditing Organizations Through a Strategic-Systems Lens, published in 1997, presents rationale and concepts dealing with the auditor’s need to obtain an understanding of and from EBS to facilitate assessment of RMM. It also presents a collection of tools and techniques (e.g., strategic and process analyses) that, when properly implemented, can help guide the focus, breadth, and depth of the auditor’s understanding of changes in industry and entity conditions that could heighten RMM. The need for such understanding is reinforced by the auditor’s clear responsibility to plan and perform the audit to provide reasonable assurance of detecting material misstatements due to fraud, as some evidence of and from EBS is less distortable than evidence of and from MII or MBR by a management motivated to commit fraud.

26

Using a SSA approach neither is sufficient for, nor necessitates, any particular risk partitioning in terms of the ARM. SSA, however, does require the auditor to acquire a top-down and in-depth understanding of the audited organization’s EBS (and thus does emphasize evidence of and from EBS).

– 13 –

audit risk. Still, when evaluating MBR in financial statements, certain EBS-based evidence is especially helpful (e.g., EBS-based evidence that the audited entity’s MII transform to monitor operations, but not to generate financial statements, or EBSbased evidence captured by other entities or persons). Thus, drawing on complementary evidence of and from EBS, MII, and MBR helps the auditor to formulate and better justify his or her beliefs, and make better assessments of the components of audit risk. As also mentioned earlier, consistent with the framework underlying SSA and BMP, international authoritative guidance recently has increased minimum standards regarding the need to obtain a sufficient understanding of EBS, and has recognized more fully that EBS constitutes a source of audit evidence. For example, the ISAs now require the auditor to obtain an understanding of the entity and its environment sufficient to assess RMM, and explicitly recognize that such understanding (1) helps the auditor to plan the audit, (2) constitutes audit evidence itself, and (3) provides a context against which to evaluate other audit evidence (e.g., ISAs 315 From Auditing Organizations and 240 and the 540 Exposure Through a Strategic-Systems Draft). Thus, consistent with SSA, Lens, Bell et al. [1997] international authoritative standards [W]e draw a distinction between the reducnow recognize that auditors who fail tionist approach to audit risk assessment— to obtain a sufficient understanding assessing audit risk “through the accounting of EBS potentially elevate nontransactions”—and the strategic-systems sampling risk and, thus, audit risk. approach—assessing audit risk through a topdown, holistic view of the client’s business and its connections and interactions with its environment. We suggest that these perspectives are complements, and that the auditor should assess audit risk from both perspectives to make effective judgments about the validity of the client’s financial statements in today’s complex business environment.

For the 21st Century U.S. public company audit, the auditor assesses RMW and RMM, and assesses and manages DR, in particularly challenging and dynamic environments, and he or she must be prepared to demonstrate to regulators that the level of assurance obtained for the audit is a reasonable level of assurance. As depicted on the right side of Figure 2.1, we believe that a prudent evidence-acquisition strategy for obtaining that high level of assurance is to employ an audit architecture that overcomes the intrinsic limitations of any particular source of audit evidence through triangulation. Triangulation will increase the likelihood that the auditor acquires a sufficient, well-integrated understanding of the organization’s business and industry (and other selected EBS); its internal control structure (and other selected MII); and its financial statements (and other selected MBR). Also, the prudent 21st century auditor will seek to soundly evaluate

– 14 –

and integrate evidence germane to the financial statements taken as a whole (FST), significant classes of transactions and account balances (CAB), and intrinsic assertions (ASR), when conducting risk assessment procedures, including those procedures that are control tests and substantive tests. The portfolio of sufficiently From The Philosophy of Auditing, triangulated evidence, in turn, will Mautz and Sharaf [1961] enable the auditor to develop well-justiAlthough evidence is seldom conclusive, fied beliefs that facilitate assessments the more kinds of evidence we find in of RMW, RMM, and DR, as well as support of a given proposition, the more help the auditor to reduce DR to an likely that proposition is to be true…. [I]t is acceptably low level. not just the quantity of evidence; it is the fact that the approaches to the matter of obtaining evidence vary in nature and literally cover all possibilities…. An attack launched from three directions is not as strong as one from nine directions.

In conclusion, our overview of the evolution of the risk-assessment orientation of auditing suggests that the 21st century public company audit is a process involving recursive planning and execution of audit procedures to enable triangulated evidence-driven belief formation and revision and recursive risk assessments. Audit procedures, regardless of whether they are conducted during planning, control evaluation, substantive testing, or completion, are simply different and complementary kinds of risk assessment procedures. Further, in the U.S. environment the PCAOB’s issuance of AS2, which establishes the dual-opinion integrated audit, marks a significant turning point away from the compensatory view of the ARM by increasing minimum standards dealing with auditors’ need to obtain complementary forms of evidence. In Chapter Three, we present fundamental concepts underlying auditors’ evidence-driven belief formation and revision to perform recursive risk assessments. In a related vein, although different combinations of audit evidence can result in high audit quality, the prudent auditor is wary of combinations that do not emphasize triangulation. When auditors do not base their assessments of RMW and RMM on complementary evidence of and from EBS, MII, and MBR, audit quality may plateau at a point below reasonable assurance. When triangulation is employed, however, one of two more favorable outcomes is more likely to occur. On the one hand, complementary sources of evidence could provide consistent signals. If consistent signals were obtained across all three sources, the auditor’s beliefs and subsequent risk assessments likely would be more justifiable than if the auditor’s beliefs were based on only a subset of the three sources. On the other hand, the complementary sources of evidence could provide contradictory signals. If so, the auditor is likely to be able to improve audit quality by considering the nature and extent of additional evidence needed to reconcile the inconsistencies and thereafter obtaining such evidence. We elaborate on audit triangulation in Chapter Four.

– 15 –

Chapter Three

Evidence-Driven, Belief-Based Risk Assessment

Introduction

Society’s expectations about the nature and extent of assurance from financial statement audits, as well as the judgment processes underlying financial statement auditing, have been co-evolving over time within an expanding, complex, hi tech, global economic system. As the prior chapters have observed, however, a tipping point recently has been reached. Legislators, regulators, and standard-setters have enacted sweeping changes directed at raising the bar with respect to the quality of public company audits. Major initiatives to date have focused primarily on auditors’ business understanding, assessments of RMW and AUR, the auditors’ responsibility to detect material misstatements due to fraud, and audit firm inspections. To meet this elevated demand for audit quality, we believe that 21st century public company auditors will continue to seek ways to better manage and control nonsampling risks. Prudent auditors, for example, will take steps to manage nonsampling risk stemming from the process of belief revision and risk assessment in light of audit evidence at hand (e.g., ask themselves, “Could I explain to someone else the extent to which current evidence does or does not also support alternative plausible beliefs or risk assessments?”). In addition, prudent auditors will heed nonsampling risk potentially arising from the process of attempting to acquire an appropriate and sufficient portfolio of evidence (e.g., ask themselves, before acquiring evidence, “To what extent would such evidence, depending on its nature, both provide incremental support for some plausible beliefs and make other beliefs less plausible?”). We contend that acquiring triangulated evidence of and from EBS, MII, and MBR will facilitate reducing these two and other sources of non-sampling risk. The concept of triangulated evidence is discussed at length in Chapter Four. In this chapter we discuss the link between non-sampling risk and professional judgment. Subsequently, we discuss audit evidence and auditors’ beliefs, ultimately integrating these two concepts into discussion of auditors’ risk-assessment processes. We conclude Chapter Three with discussion of the role and import of auditors’ assessments of risks at different levels of magnification—the FST, CAB, and ASR levels.

– 17 –

Professional Judgment

Professional judgment is the very essence of auditing;27 it pervasively influences audit quality from beginning to end, and it can be both the primary means by which auditors control non-sampling risk and a major source of it.28 If evidence, beliefs, and risk assessments are cornerstones of auditing, professional judgment is their connective mortar. Consider the following requirement set forth in ISA 315: The auditor should obtain an understanding of the entity and its environment, including its internal control, sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures. [Emphasis added.] Determining the level of understanding that is sufficient for the prescribed objectives, performing the task of assessing risk, determining an appropriate materiality threshold, and evaluating whether any particular MBR is misstated, all are examples of matters that require professional judgment. Also, interpretation and assessment of the entity’s application of complex financial accounting standards, e.g., FAS No. 133 in the United States, requires the exercise of professional judgment. Even a cursory review of the current set of ISAs makes it apparent that the audit process is professional judgment laden. Professional judgment refers to judgments of persons with experience, extensive education, and/or specialized training within a profession.29 Professional judgments typically are difficult, and often the most expert of professionals encounter especially challenging problems when forming judgments.30 It is no wonder that persons, especially nonprofessionals, sometimes disagree with professional judges’ conclusions: Of course experts make mistakes.…But precisely because they are experts, they are more likely to be right than ordinary people. Brain surgeons make mistakes, 27

See, e.g., Miller [1974].

28

In part because of the high degree of professional judgment required on audits, some economists characterize auditing as a credence service (e.g., Klein [1997]). One cannot easily discern the quality of a credence service, even after the service has been provided. Credence services can be contrasted with services for which quality is more easily discerned. For example, the quality of a hair cut/style is readily determinable by the person whose hair is being cut/styled. In contrast, the consequences of audit judgments made or actions taken are often vague, delayed, and incomplete. While some feedback may be obtained immediately (e.g., the number of documents in a sample exhibiting evidence that a control has been performed), other feedback may not be observable until a much later date (e.g., revelation of a material misstatement that the control was designed to prevent). And, even then, it may not be revealed unless one looks for it. In addition, the auditor cannot observe the outcome of audit tests that the auditor chooses not to conduct. These attributes of auditing are shared with other contexts in which learning from experience is rather difficult. See Einhorn [1980] and Hogarth [2004] for discussion of the difficulty in learning from experience in such situations, which they characterize as outcome-irrelevant learning structures (OILS). Finally, it is noteworthy that elsewhere the term experience goods is used to denote goods with characteristics similar to what we here describe as credence services (Houghton and Trotman [2003]).

29

See, e.g., Gibbins [1984], p. 104.

30

Psychologists characterize judgment processes as cognitive activities involving acquisition and integration of probabilistic cues, weighing of evidence, and testing of premises to better understand states of the world (Arkes and Hammond [1986]; Goldstein and Hogarth [1997]; Yates [1990]).

– 18 –

but they know more than the rest of us about brain surgery; lawyers make mistakes, but they know more than most people about the law. Where does this leave us? It suggests that many of the disagreements between experts and ordinary people stem from the fact that experts have more information and are also prepared to look at the benefits as well as the risks associated with controversial products and activities. Ordinary people often make judgments on the basis of quick, intuitive assessment, in which affect plays a larger role. (Sunstein [2002], p. 77) Professional judgments and consequent decisions characteristically involve tough tradeoffs. To illustrate, physicians can decide against routinely giving coronary artery scans to patients who are in their 20s, appear healthy, and have no remarkable family medical histories. While this approach saves money and enables healthy young adults to avoid the inconvenience and worry of having such scans (especially given potential false positives), there is an increased risk of missing likely fatal aneurysms in a few unhealthy young adults.31 Auditors’ professional judgments also involve many tradeoffs, but auditors face additional vexing obstacles. Physicians’ patients usually truthfully report their symptoms. In contrast, members of management may optimistically misrepresent the entity’s financial condition, results of operations, and other business attributes.32 Some members of management may even seek to conceal outright fraud by strategically altering information they expect the auditor will obtain as evidence.33 Corrupt managers may tell auditors half-truths and try to lead auditors down the primrose path by distorting assertions and their supporting documentation.34 Managers who commit fraud commonly create the appearance that their earnings forecasts have been met or exceeded, and if auditors allow such forecasts to unduly influence their expectations, subsequent distortions in business representations may not trigger sufficient auditor concern. In addition, experience has shown that managers sometimes go to great lengths to align accounting system documents and account 31

For more about making judgments when there are difficult tradeoffs, see, e.g., Hammond, et al. [1999].

32

In addition to helping auditors anticipate behaviors of strategic managers, professional judgment helps auditors address challenges posed by high stakes, time or budgetary pressures, conflicting preferences, dynamic instead of static phenomena, and differences in advice obtained via consultation, as well as with the frequent absence of clear-cut accuracy benchmarks and learning opportunities (see, e.g., Ashton et al. [1989]; Bell et al. [1997], [2002]; Einhorn [1980]; Emby and Gibbins [1988]; Kennedy, et al. [1997]). Such factors collectively make it challenging for even well-trained, experienced auditors to know how and when to intervene to best mitigate risks.

33

Research suggests that when material financial statement fraud occurs, the CEO, CFO, and/or other members of upper management are involved over 80 percent of the time (Securities and Exchange Commission [2003]).

34

Domanick [1989], as an example, discusses the lengths to which Barry Minkow and his close associates went to deceive auditors, bankers, and others in the ZZZZ Best case.

– 19 –

balances.35 Even though auditors exercise professional skepticism in an attempt to mitigate the risk of being deceived, there always will be some residual risk of material misstatement due to fraud. Audit Evidence

Audit evidence is all of the information used by the auditor in arriving at the conclusions on which the audit opinion is based.36 Evidence can be tangible and thus amenable to attaching to working papers, but it also can be intangible, consisting of, for example, attitudes of or actions by members of management suggesting that they take aggressive positions on financial reporting. To have evidentiary value, information must be germane to an audit objective. For example, information that reveals the operating effectiveness of MII that transform selected EBS germane to financial reporting would be audit evidence. Consistently, information that reveals the degree to which management’s financial statement assertions represent selected EBS in accordance with the applicable financial reporting framework also would be audit evidence. Consistent with the financial reporting process characterization introduced in Chapter One, management’s assertions as embodied in financial statements pertain to selected EBS, and management’s internal control over financial reporting should increase the correspondence between financial statement assertions and selected EBS. Thus, unless auditors can obtain sufficient appropriate evidence about underlying EBS, and about how and how well an entity’s MII capture and synthesize relevant EBS, auditors’ assessments of RMW, RMM, and DR will be tenuous. For example, it would be problematic if the auditor were to attempt to evaluate the design and operating effectiveness of MII without obtaining sufficient appropriate evidence to assess whether they transform selected EBS into MBR in accordance with the applicable financial reporting framework. Auditors’ Beliefs

While scholars continue to debate the precise boundaries between beliefs and knowledge, they long have recognized that only some beliefs can be equated with knowledge.37 In the ensuing discussions, we use the following definitions to distinguish auditor beliefs from auditor knowledge: knowledge is justified beliefs about facts known to be true; 38 beliefs are states of mind about facts that can be uncertain and vary in 35

Managers at Sirena Apparel Group, Inc. and Sensormatic Electronics Corporation, for example, reportedly engineered frauds by holding open the companies’ books beyond the close of year-end. Interestingly, they apparently altered dates on documents by changing the computer’s clock (Securities and Exchange Commission [2003]).

36

From ISA 500, Para. 3.

37

See Mautz and Sharaf [1961]; and Silvoso, et al. [1973].

38

See Chisholm [1982, 1989]; Russell [1948]; and Lucey [1996].

– 20 –

regard to justifiability. Belief thus is necessary, but not sufficient for knowledge, as are the properties of justifiability and truthfulness.39 As Lucey [1996], p. 21 notes, “You can’t know what isn’t so.” We would add, just because you have good reasons to think it is so doesn’t necessarily make it so. Figure 3.1: Reasonable Assurance within the Public Company Auditing Context

Beliefs vs. Knowledge

Have adequate evidence; justifiable beliefs.

Assurance thresholds and professional skepticism require particularly welljustified auditor beliefs.

B K

AJB

JB

Knowledge, or justifiable certitude regarding true, changing states of the world.

Figure 3.1 illustrates the difference between society’s view of the typical justified belief within the layman’s context, and within the context of public company auditing, where reasonable assurance is expected. The figure shows that beliefs in general (largest area B) can be more or less justifiable, depending on the extent and degree of validity of the evidence on which they rest. In the outer layer of B, beliefs rest on little valid evidence about true states of the world. The smallest area, labeled K, represents the subset of beliefs that rest on knowledge, or justifiable certitude. Compared to the layperson, whose beliefs may be considered by society to be sufficiently well justified (justified beliefs represented by area JB) when they are conditioned on a limited amount of valid and persuasive evidence, the auditor is held to a higher standard (auditor justified beliefs represented by area AJB). The AJB standard reflects both society’s high stakes in auditors’ opinions as well as auditors’ professional responsibilities. Among these responsibilities, the public company auditor must exercise professional skepticism. Today, and for the foreseeable future, auditors face increased minimum standards for planning and performing the audit to detect material financial statement fraud and for exercising professional skepticism.40 If the concept of professional skepticism continues to shift from neutrality toward presumptive doubt, the minimal 39

To illustrate the difference between beliefs and knowledge, consider that auditors likely know (and thus believe) that vouching generally is more useful than tracing when testing the existence of an asset and that when profits dry up, generally the temptation for managers to window dress increases. In contrast, auditors may believe (but cannot know) that members of management are honest.

40

See, e.g., SAS 99 in the United States.

– 21 –

amount of evidence required for the auditor to develop, and demonstrate to others, sufficiently well-justified beliefs may continue to rise.41 The implication for today’s auditors is that it is critical that they seek to develop beliefs and, thus, risk assessments that are sufficiently well justified. Evidence-Driven, Belief-Based Risk Assessment

Assessments of RMW, RMM, and DR involve integrating one’s evidence-driven beliefs into a mental model 42 that, when run, provides one with expectations 43 germane to the risk assessment and underlying audit objective. They further involve comparing these expectations with observations to ascertain their degree of concordance. To illustrate risk assessment within an everyday context, as well as the perils of overrelying on evidence of and from MII and MBR, suppose one is assessing the risk of running out of gas while driving. While one could rely only on an expectation that the gas tank is nearly empty, one ordinarily observes the gas gauge. Analogous to MBR, the gauge is supposed to faithfully represent how much gas is in the tank. The electric and mechanical apparatuses that make a gas gauge work are information intermediaries. Analogous to MII, they are supposed to transform the amount of gas in the tank into an unbiased and reliable representation.44 Ordinarily, one’s observation that the gas gauge represents that the tank is nearly full will suffice for decreasing one’s assessed risk of running out of gas. One drives on without giving the matter a second thought. Of course, on some occasions one’s mental model may heighten one’s skepticism of the gas gauge’s representations or the functionality of the transformative mechanisms that produce the gauge’s representations. When skeptical, one usually opts to initially obtain evidence about how much gas really is in the tank (analogous to evidence of 41

U.S. authoritative guidance seems to suggest simultaneously that the auditor assumes neither management’s dishonesty nor management’s unquestioned honesty (AU§230.09). For example, auditors must recognize that some risk of material misstatement due to fraud always exists, regardless of past experience with an entity (AU§316.13), and auditors must set aside beliefs that management is honest and possesses integrity when considering the possibility of management override of controls (AU§316.15, 316.16). Further, in U.S. authoritative guidance some of the suggested responsive audit procedures to the presence of fraud risk factors are consistent with the auditor taking on a forensic auditing mindset by, for example, directly asking about fraud when inquiring of accounting personnel or of operating personnel not directly involved in the financial reporting process, as well as undertaking some procedures on a surprise basis. As some commentators have noted, forensic auditors generally assume dishonesty unless there is evidence to the contrary (Panel on Audit Effectiveness [2000]).

42

Mental models are cognitive abstractions of reality that consist of organized knowledge and beliefs, integrated data about patterns of cues, and rules for linking cues (Bell et al. [2002]).

43

The term expectations is used here to mean beliefs that obtain after running a mental model and that concern appropriate values or relations that should manifest in internal control over financial reporting or in business representations. Thus, while all audit expectations are beliefs, only some beliefs are audit expectations.

44

As a side note, gas gauges are notoriously inaccurate, showing empty when there are gallons left in the tank and full for the first 50 miles (Nice [2004]). Inaccurate gas gauge representations arise when the sending unit, an information intermediary, fails to send electric current to move the gauge until fuel loss is sufficiently large to enable a physical float, akin to those in toilets, to drop below a certain point and because, thereafter, the float reaches its minimum well before all the fuel is gone.

– 22 –

and from EBS), e.g., by stopping at a service station to fill the tank. And, if it takes more gallons to fill the tank than the gauge’s representation would have suggested, one may thereafter mentally track miles driven and discount the gauge’s readings. Figure 3.2: Evidence-Driven, Belief-Based Risk Assessment Begin New Cycle

No Observations

Well justified?

Expectations

Yes

Audit Conclusion Reached

Identify Objective Plan Audit Procedures (plan approach to resolve discordance or to enhance justifiability)

Yes Significant discordance? No

Yes Well justified?

Compare Expectations & Observations (consider possible causes or discordance)

Observations Expectations

No This recursive cycle continues until all audit objectives have been satisfied after which point the auditor ordinarily renders an opinion

Observe & Interpret Evidence (consider employing evidentiary triangulation)

Form/Revise Beliefs (incorporate beliefs into mental model; running model yields/revises expectations)

Figure 3.2 presents a summary of key activities involved in evidence-driven, beliefbased risk assessments, as well as their linkages. The figure shows that auditors exercise professional judgment to identify critical audit objectives, design and execute responsive procedures to obtain audit evidence, thereafter evaluate such evidence, and then revise their beliefs. Auditors integrate these revised beliefs into their mental models of the entity. They then run their mental models to develop expectations about EBS that already have occurred, or that are likely to occur. Some of these expectations will concern elements of EBS that are (or at least should be) captured and transformed by the audited organization’s MII to generate financial statements. Other expectations, however, will concern elements of EBS that are not used to generate financial statements, but that are determined by the auditor to be relevant to assessments of RMW, RMM, and DR, and such elements might or might not be captured by the audited organization’s MII. Based on these expectations, auditors consider the ways in which MBR reasonably could represent or resonate with these business states (Bell, et al. [2002]).45 Auditors then observe actual MBR to assess the degree of correspondence between selected EBS and MBR. As the degree of correspondence 45

Auditors also will develop expectations about the capability of MII to appropriately capture and transform selected EBS. If MII do not appropriately transform EBS, the auditor’s substantive testing will draw all the more significantly on EBS-based evidence to ascertain the veracity of MBR. In some cases, sufficiently poor MII may cause MBR to become unauditable.

– 23 –

increases (decreases), the assessed RMW, RMM, and DR generally will decrease (increase). Auditors recursively continue with this risk assessment process until they have obtained sufficient appropriate evidence for the audit objectives at hand. We illustrate this process using the following simple hypothetical example.46 The lead partner on the audit of a Brazilian manufacturer understands that the company sells most of its products in Mexican markets. While updating her understanding of the entity and its environment, she learns that the Mexican economy is in deep recession. She naturally, then, expects that the entity’s sales will have declined and their bad debt expense will have increased. She reviews the most recent quarter’s financial results and observes that sales have grown in line with the forecasts the management had provided earlier to the capital market and that the ratio of bad debt expense to sales remained constant. Consequently, she assesses RMM for both sales and bad debt expense as high. What exactly happened here? The auditor’s earlier mental model of the organization included the understanding that the entity operated predominantly in Mexican markets. As the current audit commenced, she set the objective—update my understanding of the entity and its environment to assess RMM. While investigating critical components of the entity’s business model, as now required by ISA 315, she obtained evidence through the news media and by inspecting relevant economic reports that the Mexican economy was in a state of crisis. This new information was integrated into her mental model of the organization. She then developed the expectation that this unfortunate turn of events would slow down entity sales and that a higher percentage of customers would not be able to pay their accounts (i.e., she ran her mental model to develop expectations about the financial consequences to the entity of the downturn in the Mexican economy). Upon observing that the entity’s most recent quarterly financial reports presented a significant growth in sales, and a stable percentage of bad debt expense, she became concerned that this was too good to be true (i.e., she decided that these accounts had a high RMM). In light of high assessed RMM, she will further manage DR by designing and applying additional responsive risk-assessment procedures. Figure 3.2 also shows that evidence-driven, belief-based risk assessment is a recursive process. For a given account balance, class of transactions, or disclosure, and ultimately for the financial statements taken as a whole, each time new evidence is 46

One should not think that risk assessment is easy, even with sound evidence and sound judgment. Humans often have trouble accurately assessing even static, fairly simple risks. As Bell et al. [2002] note, auditors often face risks that are dynamic and complex. Assessing such dynamic and complex risks may require sound systems thinking skills, and these skills are not normally part of a person’s repertoire unless he or she has received training. Systems thinking likely is critical to auditors in part because, for large public companies, they often begin the audit during the first or second quarter of the annual period under audit. Consequently, auditors often assess dynamic risks that accompany changing economic actions, events, and conditions before many of the final business representations would have occurred.

– 24 –

obtained and beliefs are revised, the auditors will reassess whether sufficient appropriate evidence has been obtained to form the basis for an opinion. Auditors continue to engage in evidence-driven, belief-based, risk assessment until they conclude that their beliefs and, in turn, risk assessments are sufficiently well justified. Notably, unless auditors’ beliefs are well justified, there is no logical reason to conclude that their risk assessments will be well justified. Some people may believe that auditors design and execute risk assessment procedures only at a few specific times, such as at the start of the audit when planning the nature, timing, and extent of audit procedures. Actually, as previewed in the earlier chapters, regardless of the stage during which they are performed, all audit procedures with a potential to yield evidence are, fundamentally, risk assessment procedures. They are risk assessment procedures because evidence has belief formation/revision potential, and beliefs are the cognitive content on which auditors base their assessments of RMM as well as their assessments and management of DR. As auditors’ beliefs change, their risk assessments may change; unless auditors’ beliefs change, their risk assessments should not logically change. Assessments of RMW, RMM, and DR at Different Levels of Magnification

Auditors assess RMW and RMM, and assess and manage DR, at what might be called three levels of magnification—the financial statement (FST), classes of transactions and account balances (CAB), and assertions (ASR) levels.47 Multilevel risk assessment, involving complementary assessments of RMW, RMM, and DR from different vantage points, can improve the efficacy and thus the justifiability of auditors’ belief revision and risk assessments. For example, assessing RMM at the FST level after considering the degree of correspondence between EBS and key financial performance indicators developed from the composite financial statement measures may reveal a too good to be true scenario that is not apparent at other levels of magnification. Multilevel risk assessment also helps ensure that composite performance measures do not merely appear to be materially correct when, in fact, two or more material errors exist in different accounts and, fortuitously, cancel out at the composite measure level (e.g., net income). The quality of auditors’ assessments of RMW, RMM, and DR, and their management of DR, rests in part on the quality of the underlying evidence that drives their beliefrevision and risk assessment processes. For significant account balances, classes of 47

It also is worthy of note that while auditors assess risk ahead of time, others judge the auditors’ assessments of audit risk after the fact. If, after the audit is finished, regulators or market participants observe signals of potential misstatement, demonstrating compliance with authoritative guidance may not shield the auditors from reputational or financial harm, as costly legal discovery ensues. An excellent way for auditors to demonstrate that their belief-based risk assessments are well justified is to show that their beliefs rest on a diverse base of triangulatory evidence, all of which points to a common audit conclusion.

– 25 –

transactions and disclosures, 21st century public company auditors consider the need to obtain evidence from multiple sources. Merely obtaining more evidence of a particular kind may not compensate for evidence that otherwise is of poor quality.48 The next chapter discusses triangulation, a means of strengthening the justifiability of auditors’ beliefs.

48

See, e.g., ISA 500, paragraph 7.

– 26 –

Chapter Four

Triangulation

Introduction

As depicted in Figure 4.1, triangulation is a way of gathering mutually reinforcing evidence of and from three fundamental sources useful in formulating and revising well-justified beliefs by which auditors subsequently derive their risk assessments. Triangulation 49 occurs when the auditor understands the degree to which the same audit conclusion is supported by evidence of and from all three fundamental sources: EBS, MII, and MBR.50 While traditional public company audits naturally treat MII Figure 4.1: Triangulation Management Information Intermediaries (MII)

Entity Business States (EBS) Suppliers

Customers

Internal Control (Including Internal Control Over Financial Automated Reporting) Processes

Audited Entity Alliance Partners

Regulators

Competitors

Capital Markets

Applicable Reporting Framework

Management Business Representations (MBR)

Manual Processes

General Purpose F/S Journals & Ledgers MD&A

49

Triangulation has its roots in surveying and navigation whereby a region would be accurately measured by application of trigonometry (Oxford Online English Dictionary [2004]). Skeptical of the validity of initially measured distances, surveyors and navigators would lever the laws of trigonometry to assess whether individual measures reasonably crossed-checked. Today, triangulation is a commonly accepted means by which social scientists improve their confidence in a research conclusion (Harvey, MacDonald, and Hill [2000]). In social science, triangulation involves the use of multiple research methods (e.g., interviews, field studies, and experimentation). If findings based on different research methods all point to the same scientific conclusion, the scientific community’s beliefs revise more strongly to support the underlying theory being tested or constructed. Inherent weaknesses in one particular research method can be overcome if the same scientific conclusion is supported by another research method that is strong in the area for which the first research method was weak. In social science, using two or more different research methods potentially would be characterized as triangulation. The strength of triangulation, however, would increase with the use of a greater number of methods.

50

EBS are, e.g., economic actions and events; industry, regulatory, and other external forces; entity objectives, strategies, and related business risks; and business process operations and outcomes, including non-financial outcomes. MII are transformative processes that include policies, people, accounting and other information systems, business forms and documents (e.g., invoices, purchase orders, vouchers), internal control over financial reporting (including oversight by corporate governors), and the applicable financial reporting framework. MBR include amounts recorded in journals and ledgers, composite depictions of such amounts presented in general purpose financial statements, and other management representations to users, such as MD&A and communications with analysts.

– 27 –

and MBR as two mutually strengthening sources of evidence, triangulation also emphasizes complementary evidence of and from EBS. Triangulation recognizes that consistency between MII and MBR does not ensure that MBR contain reliable representations of EBS. In assessing the extent to which evidence of and from EBS complements evidence of and from MII and MBR, it is useful to classify EBS into elements that have (or should have) been captured and measured by (1) the subset of MII comprising the audited organization’s financial accounting systems and production of financial statements (such MII would include, e.g., an airline’s earned and unearned revenue from passengers and freight), (2) the subset of MII used internally for making strategic decisions and resource allocations (such MII would include, e.g., an airline’s operational performance measures such as kilometers flown per period and aircraft type, passenger load, and capacity statistics over time and across regions), and (3) other organizations or persons (e.g., an airline’s key customers can confirm contract fare terms and usage rates, business analysts measure global and regional air traffic activity, health organizations report on incidence of undesirable ailments, such as sudden acute respiratory syndrome or SARS). These categories, however, are not mutually exclusive. And, generally, while elements of EBS that are captured and transformed by the subset of MII the audited organization uses to generate financial statements pertain to audit objectives, they also are relatively susceptible to management distortion. In comparison, elements of EBS captured and transformed by the audited organization’s MII but that are not typically used to produce financial statements can be relevant to audit objectives but arguably are less susceptible to distortion (since personnel within the organization use such information for other important purposes, e.g., strategic decision-making). Finally, elements of EBS captured and transformed by other organizations’ informational intermediaries or by other persons can be relevant to an audit objective but arguably are even less distortable by the audited organization’s management. By considering the nature of EBS-based evidence as well as the extent to which an audited organization’s management can distort such evidence, the auditor better understands the degree to which EBS-based evidence overcomes intrinsic weaknesses of evidence from MII and MBR. Armed with this improved understanding, the auditors can assess the value of triangulation with EBS-, MII-, and MBR-based evidence and thus improve the quality of the integrated audit.51 51

Triangulation differs from mere replication. Replication involves, for example, retesting an assertion using the same evidentiary source but with new data points (e.g., expanding a sample size). Replication does not mitigate bias that may be present in one evidentiary source, and the possibility of intentional bias exists when dealing with evidence that is under management’s direct control. No matter how many times one retests a proposition via replication, if the same fundamental and biased population is being drawn upon, a biased belief is likely to follow.

– 28 –

Triangulation enables audit quality improvement in two related ways. First, comparisons across EBS, MII, and MBR evidence help the auditor to address risks of unintentional financial statement misstatements and risks of material weakness in internal control over financial reporting. Potentially informative on its own, MII-based evidence, for example, becomes more informative if it both conditions how the auditor interprets EBS- and MBR-based evidence and if its interpretation is conditioned by EBS- and MBR-based evidence. Since triangulation fosters mutually reinforcing, conditional interpretations of evidence, it amplifies the overall informativeness of evidence. Notably, even when an auditor judges that a single evidentiary source may be sufficient to achieve a given audit objective, the auditor generally first must assess the reliability of that single source. One way to assess its reliability is to ascertain whether another source of evidence supports the same or a different audit conclusion. For example, triangulation helps auditors to evaluate the reasonableness of management’s accounting policy choices, and the manner in which related accounting methods are applied for significant unusual transactions fraught with business risk. As another example, triangulation also helps the auditor to evaluate the effectiveness and timeliness with which internal accounting procedures and related controls capture and successfully transform relevant business events or changing business conditions (e.g., How quickly does an entity’s MII capture and transform environmental liabilities associated with acquired properties? How long before reliable measures of such liabilities become available for internal decision making or for potential financial statement accrual or footnote disclosure?). Also, changes in EBS (e.g., operating plans, operating effectiveness, or general economic conditions) can undermine the effectiveness of existing internal controls and approaches used to develop accounting estimates. Second, triangulation is particularly helpful when the auditor is concerned about intentional misstatement. Notably, an auditor employing triangulation will acquire evidence of and from EBS and some such evidence is more difficult for the entity’s management to fabricate than is evidence of or from MII and MBR.52 Similarly, an understanding of EBS can help the auditor to spot MBR that appear too good to be true. And, when the client management is aware that auditors are collecting significant evidence of and from EBS beyond their control, they may be less inclined to engage in fraud in the first place.

52

See, e.g., ISA 240. While evidence of and from EBS generally is less susceptible to management distortion than is evidence from MII or MBR, not all evidence of and from EBS is equally free of potential management distortion. Management may be able to distort some operating performance measures more easily than other operating performance measures (e.g., spoilage rates versus sales per square foot). And, management may be able to pressure some external stakeholders (e.g., major suppliers or related parties) to comply with their own preferences in providing evidence to auditors compared with disinterested, arm’s-length stakeholders.

– 29 –

Triangulation and Auditors’ Indirect Evidence Problem

Auditors, of course, traditionally have directly examined or observed evidence of and from EBS. Since the McKesson & Robbins case in the 1930s, for example, auditors routinely have observed, and made test counts of, an entity’s inventory and confirmed accounts receivable. Still, even as recent as several decades ago, only a few operating events (e.g., payroll distribution) actually were observed.53 Over time, auditors’ attempts to amass sufficient appropriate evidence have been challenging due to what thought leaders from several decades ago called the indirect evidence problem: [I]n the natural sciences, for example, experiments are designed in a way to permit the inquirer to perceive directly either the events or their consequences. The audit of financial statements involves an additional complication. The events in which the auditor is interested are enterprise transactions, and their effects are the events and their consequences as depicted in financial statements. However, with some major exceptions, the phenomena in which the auditor is interested are not observed directly by him, but rather by the client’s personnel (Silvoso et al. [1973], p. 31). Historically, most audit evidence has been indirect evidence. Indirect evidence largely has come in three forms: (1) evidence about the architecture and operating effectiveness of MII, including internal controls, that transform EBS into MBR (e.g., ensuring that shipping documents and approved customer orders support sales journal entries and that there is a clear separation of duties among those who prepare and authorize such documents); (2) evidence about the degree to which subcomponents of MBR cohere (e.g., ensuring the absence of one-sided entries and tracing amounts from journal entries through the ledger and trial balance and to the composite representations included in the financial statements); and (3) mutually reinforcing evidence from MII and MBR that supports the same audit conclusion (e.g., tracing authorized purchase orders to receiving reports and canceled checks, the latter signed by a custodian independent of both the initiator and authorizer of the purchase order, and to journal entries made by yet another independent person). As noted earlier, recent changes to the authoritative guidance have increased minimum standards dealing with auditors’ need to obtain more evidence of and from EBS, and have recognized more fully that such evidence is audit evidence. Preceding these institutional changes, auditors already had begun to evolve their audit approaches to place greater emphasis on acquiring evidence of and from EBS (with an emphasis on business models and strategies, business risks, and performance occurring in the audited entity’s core business operations). 53

See Silvoso et al. [1973], p. 31.

– 30 –

An overarching reason for these developments was to improve and broaden the evidential base for auditors’ beliefs, mental model development, and risk assessments, thereby better controlling non-sampling risk.54 Consistently, auditors recognize that to obtain evidence about management’s incentive to engage in fraud, a key fraud risk factor in authoritative guidance,55 an understanding of EBS is particularly helpful. The incentive to commit fraud intensifies when business operations fail to meet performance targets, so the auditor must identify when and where operations are at risk of falling short of targets. In this respect, the advent of greater resource investment toward accumulation of evidence of and from EBS has been especially timely given auditors’ increasing responsibility for detecting material misstatements due to fraud. Precision of Expectations Based on Evidence of and from EBS

One possible objection to using evidence of and from EBS for the purpose of triangulation is that such evidence may be less conducive to development of precise expectations compared with evidence of and from MII or MBR.56 For example, the link between some nonfinancial business performance indicators and financial statement account balances may not be straightforward, thereby making it difficult for auditors to develop precise expectations based on such information. Nevertheless, we contend that it does not logically follow that such evidence would have less potential for the development of well-justified beliefs relative to evidence an auditor gathers exclusively from other sources. On the contrary, evidence of and from EBS may well provide relevant and new audit insights or challenge tentative conclusions based on evidence from MII or MBR; this is the essence of viewing evidence from different sources as predominantly complementary rather than compensatory. If such evidence suggests intentional misstatement present in MII or MBR evidence, questions about relative precision of expectations based on evidence of and from EBS arguably are of secondary importance. Of primary 54

Fairly recent conceptual advances accompanied by advances in the set of tools that can be applied have facilitated obtaining relatively direct evidence about business states. For example, within the last few decades, there have been innovations in strategic management (e.g., Porter [1980], [1985]), performance measurement (e.g., Kaplan and Norton [1996], [2004]), as well as in systems thinking and competitive strategy dynamics (e.g., Senge [1990]; Sterman [2000]; Warren [2002]). These advances, and toolkits developed therefrom, have made it practicable for auditors to implement in a systematic fashion the audit team’s acquisition of an understanding of the entity and its environment to assess RMW, RMM, and DR as well as to reduce DR, as discussed in extant authoritative guidance (e.g., ISA 315). Another reason for the greater investment is recognition that adverse changes to business states can heighten auditors’ exposure to legal liability, holding the quality of financial reporting constant.

55

See, e.g., ISA 240 and SAS 99.

56

The source of relatively less reliability could be intrinsic to evidence itself or to greater inter-auditor variability in interpretation (due to, e.g., less experience in interpreting such evidence). The latter form of reduced reliability is what others have called intersubjectivity (Silvoso, et al. [1973]). Intersubjectivity would be high, for example if five auditors were to observe the exact same phenomena at the exact same time but believe they had observed five substantially different phenomena.

– 31 –

importance, understanding EBS may help auditors to detect fraud by attending to Montaigne’s famous caveat, “Nothing is so firmly believed, as what we least know.” 57 Triangulation and Different Levels of Risk Assessment

The concept and attendant benefits of triangulation extend to belief formation or revision and risk assessment at all three qualitative levels of magnification, FST, CAB, and ASR, as symbolized by the small triangles appearing in Figure 4.2. Figure 4.2: Triangulation at Different Levels of Magnification Assertions Level Classes of Transactions and Account Balances

Financial Statement Level

Accounts Receivable

$

Cash Accounts Receivable

Are accounts receivable and sales non-fictitious, properly valued, and so on?

$

Allowance

$

General Purpose F/S

$ Does management allow for a reasonable amount of uncollectible accounts?

Are assets and/or net income materially overstated?

Evidence about EBS may help auditors refine expectations for the purpose of assessing RMM, and assessing and managing DR, at the financial statement level. For example, if an auditor were to observe a significant decline in the financial performance of a telecommunication entity’s peers, the auditor may expect that entity’s financial performance to deteriorate as well. If that entity’s MBR run counter to such an expectation by portraying consistently strong profits and unexpected growth in capital spending, the auditor may assess an elevated RMM at the financial statement level and decide to obtain more persuasive audit evidence of and from EBS to further reduce DR.

57

If signals based on evidence of and from EBS, MII, and MBR were to conflict, the prudent auditor would want to find out the reason(s) why. One possible reason would be that EBS evidence provides an inaccurate signal and MII or MBR evidence provides an accurate signal. If this were true, acquisition of more evidence, although costly, eventually could bring the inaccuracy to light. The more disconcerting reason for conflicting signals across evidentiary sources is that a misstatement, perhaps intentional in nature, exists in the other two sources of evidence. If this were true, more evidence of and from EBS would not lead to convergence of signals. Instead, it would supply the auditor with a well-justified basis to revise his or her beliefs and risk assessments about the nature and magnitude of potential misstatement.

– 32 –

Evidence of and from EBS also could help auditors revise their beliefs and assess risks at the class of transactions and assertions levels. For example, the auditor of a large clothing retailer may query the retailer’s key vendors to assess the risk that the retailer has overcharged vendors for markdowns and chargebacks. As the level of chargebacks typically should correspond with the degree to which vendors have complied with agreed upon business practices, the auditor may want to learn about key vendors’ compliance rates by, e.g., examining attributes of products received from vendors or querying vendor management or the retailer’s operating personnel. To complement evidence of and from EBS, auditors could lever evidence of and from MII. For example, auditors may examine retailer documentation as well as the retailer’s copies of the vendor’s or shipping entity’s documentation. In addition, auditors could observe directed searches of e-mail or telephone archives performed by internal auditors for correspondence with vendors or among operating personnel that indicates potentially excessive chargebacks. Finally, evidence of and from MBR could complement EBS- and MII-based evidence, thereby providing auditors with better-justified beliefs for assessing RMW and RMM at the class of transactions and assertions levels. Continuing with the clothing retailer example, auditors may observe the retailer’s time-series of chargebacks, broken down by key vendors and store locations. On a sample basis, auditors could assess the correlation of the time-series of chargebacks with key performance indicators that pertain to the quality of the vendor’s products, packing, and delivery business practices. If it appears that the chargebacks do not correspond to poor quality of vendor business practices, auditors may elevate the assessed RMM for chargeback transactions and for assertions related to pertinent accounts (e.g., valuation and completeness of accounts payable and cost of goods sold). Triangulation, Skepticism, and the Integrated Audit Process

Acquiring an understanding of evidence of and from EBS (e.g., entities’ strategic objectives and actual operating performance) helps the auditors assess the degree to which management may be tempted to misrepresent MBR as well as to exercise and demonstrate professional skepticism.58 Professional guidance stipulates that professional skepticism involves having a questioning mind. Our prior discussion of nonsampling risk, professional judgment, and the need for auditors to develop well-justified beliefs underscores audit-quality benefits of auditors directing skepticism (i.e., 58

Some of the high-profile cases of alleged financial statement fraud reported in earlier chapters were preceded, and possibly precipitated, by changes in the entity’s business strategy in response to increased business risks or perceived new business opportunities. For example, Lincoln Savings and Loan attempted to fend off eroding profits by moving into a new line of business—commercial real estate development. Also, Healy and Palepu [2003] suggest that Enron’s troubles were precipitated, in large part, by management’s strategic decision to extend its natural gas trading business model and become a financial trader and market maker in electric power, coal, steel, paper and pulp, water, and broadband fiber optic cable capacity.

– 33 –

questioning minds) inward to their own fallible judgments. Inward-directed skepticism involves auditors being preemptively self-critical in anticipation of various arguments that others could bring against their beliefs or the evidential base they have or have not relied upon to form such beliefs.59 Of course, auditors also must direct their skepticism outward to management’s claims, especially when attacking RMW and AUR due to management fraud.60 Skepticism of management’s claims, by extension, means that the auditor should have a questioning mind about management-controlled sources of evidence. Since management usually can control both MII and MBR evidence, consistent evidence of and from MII and MBR collectively provide auditors with, at best, a basis to believe that two qualitatively different possibilities exist: (1) the MII and MBR are reasonable in light of EBS and (2) the MII and MBR are both unreasonable in light of EBS, potentially due to strategic management fraud. Importantly, if the auditor were to treat evidence that is merely congruent with item (1) above as if it helped discriminate between items (1) and (2) above, the auditor would be falling prey to what judgment and decision scholars call the confirmation bias.61 To distinguish between two rival hypotheses, the auditor would need to think of evidence that is quite likely to differ, depending on which of two rival hypotheses actually is valid. We contend that this evidence often will be evidence of and from EBS (and, in particular, EBS-based evidence that is not captured and used to generate financial statements). Compared with other evidentiary sources, such EBS-based evidence is less likely to be under management’s control and subject to distortion, e.g., EBS evidence captured by other organizations or persons or by those audited organization’s MII that generate non-financial-statement performance measures to aid strategic decisions or monitoring of operations. In essence, we are advocating that the auditors carefully consider the nature of the EBS-based evidence on which they rely as well as the extent to which they rely on such evidence. The auditors must think about what evidence of and from business operations, third-party organizations, or elsewhere within the EBS is relatively more likely to be undistorted by management (i.e., independent evidence). Management may well be able to sway related parties, for example, to adopt the party line. Similarly, auditors generally would be interested in obtaining answers to the kinds of questions that analysts ask of management, but, at the same time, prudent auditors are wary of potential over-optimism in answers that analysts supply in their reports when such analysts work in organizations that have an investment-banking arm. 59

For more about preemptive self-criticism see, e.g., Tetlock, et al. [1989].

60

See ISA 240.

61

See, e.g., Baron, Beattie, and Hershey [1988] and Brown, Peecher, and Solomon [1999].

– 34 –

If professional skepticism continues to evolve from neutrality toward presumptive doubt, auditors may be even better served by assessing the correspondence between internal sources of evidence that management can distort and independent external sources of evidence. For example, suppose an auditor were testing inventory returned from customers shortly after year-end as a way to test whether year-end sales occurred and were properly valued. If that auditor were to obtain evidence of and from EBS (e.g., by analyzing KPIs regarding production or by physically examining returned inventory items), the auditor would be in a position to subject MII evidence (e.g., return authorization and restocking documentation) and MBR evidence (e.g., relations among details of accounts including inventory and accounts receivable) to a reasonableness check.62 In addition, the auditor may want to increase the number of random control tests and substantive tests that lever evidence of and from EBS to address strategic elements of RMW and RMM. If management were inclined to commit fraud, the auditors’ increased understanding of EBS (e.g., understanding that a sales target is unlikely to be met) could cause management to change its behavior in at least two important ways. One, management could decide against committing fraud (since the auditors may be especially vigilant). Two, if management still were inclined to commit fraud, management could conceal the fraud in financial statement accounts otherwise unrelated to sales (e.g., estimates for pension reserves). To summarize, in our view, an integrated audit process involves addressing RMW, RMM, and DR by skeptically developing well-justified beliefs about how well and why an entity’s MII and MBR cohere and by skeptically identifying procedures by which to continue revising those beliefs. That is, auditors should develop well-justified beliefs about how well EBS, MII, and MBR, taken collectively, tell the same essential story (subject to, of course, constraints imposed by applicable financial reporting frameworks). Initial evidence from either MII or MBR that seemingly supports assertions should be presumptively doubted until it is corroborated via triangulation. Triangulation, Substantive Procedures, and SOX 404

International guidance characterizes substantive procedures as audit procedures that are designed to detect material misstatement at the assertion level.63 Confirmations 62

In the mid 1980s, MiniScribe management included in inventory items that they asserted to be saleable computer hard drives but that actually were bricks. MiniScribe management fraudulently had shipped bricks instead of hard drives to distributors and recorded the shipments as sales. When distributors returned the bricks, MiniScribe counted them as inventory (Lendez and Korevec [1999]). Levering triangulation, the MiniScribe auditors may have been able to further reduce DR by analyzing whether MiniScribe’s stocks and flows of raw materials inventory contained enough parts to make as many hard drives as management asserted were sold.

63

See IAASB (2005) glossary of terms. We believe that all audit procedures are risk assessment procedures in that, to varying degrees, they enable acquisition of evidence. Evidence, in turn, enables auditors to revise their beliefs and risk assessments for RMW, RMM, and DR.

– 35 –

are perhaps the easiest substantive audit procedure to think of in terms of triangulation. Typically, auditors use confirmations to help substantiate the existence of accounts receivable that are indicated by a trial balance figure. Auditors rarely limit their assessments of RMM and assessments and management of DR for representations such as accounts receivable to investigations of whether the trial balance and subsidiary ledger amounts agree (i.e., MBR evidence). Especially when internal controls are well designed and operating effectively, auditors prefer to complement MBR evidence with evidence obtained from the entity’s MII, such as sales invoices and shipping documents. Auditors also typically obtain evidence of and from EBS (via confirmations) because both MBR and MII are susceptible to intentional bias, e.g., via the introduction of fictitious accounts receivable into the ledger with fictitious supporting documentation. In contrast, arm’s-length customers are less likely to misrepresent their obligations to audited organizations. Confirmations, thus, illustrate the value of using evidence of and from EBS (customers’ agreement that they owe money to the entity) to complement MBR evidence (trend in receivables; agreement between subsidiary and general ledger) and MII evidence (sales invoice and shipping documentation), thereby enhancing overall evidence persuasiveness. Variations of other audit procedures also provide opportunities for triangulation. Vouching, as an example, normally involves corroborating evidence observed in MBR (e.g., a list of tangible assets) by virtue of reaching into MII for supporting documentation (e.g., vendor invoices and receiving reports in the auditee’s possession). There is no reason, however, that vouching procedures must stop after reaching into MII. On the contrary, auditors’ evidentiary base may be enhanced if they were to reach further into EBS (e.g., selectively review security videos of the arrival of assets or physically examine assets to which vendor invoices and receiving reports ostensibly refer). A similar observation holds for tracing—the auditor could think of ways to trace from EBS through MII to MBR instead of starting with MII by default. When testing the completeness assertion for accounts payable, for example, auditors could inquire of personnel responsible for supply chain management to compile a list of suppliers they have contacted in the course of business operations.64 If some of these suppliers were unlisted or were listed as having zero balances in the entity’s accounts payable ledgers, the auditor could contact such suppliers to verify whether the audited organization owed money to them. Another approach would be to focus on suppliers that historically have provided very high-quality raw materials to a company that follows a differentiation strategy and competes on product quality. The auditor could 64

To illustrate, one way to complement tests of the completeness of accounts payable conducted via use of evidence from MBR (e.g., cross-matching payables with inventory records) would be for the auditor to acquire evidence of and from EBS by inquiring of personnel responsible for supply chain management business operations. Inquiry of business-operations personnel, as opposed to just personnel within accounting or finance functions, is common in forensic auditing and may be beneficial to auditors when assessing the risk of fraud in a financial statement audit (see, e.g., SAS 99).

– 36 –

identify such suppliers using EBS-based evidence transformed by the entity’s MII to monitor its supply chain management business process. It could be strategy-inconsistent and, thus, a trigger for further investigation, if management were to assert that it owes such suppliers little to no money. These ideas also are applicable to analytical procedures as evidence from current and historic operations could serve as a reasonableness check on MBR in financial statements. For example, an auditor could compare suppliers’ abilities to provide sufficient raw materials of acceptable grade and quality (as measured by defect rates per unit of raw materials delivered, on-time delivery rates, etc.) with management’s assertions regarding the inflows, outflows and balances of raw materials and finished goods inventories and/or periodic sales. Finally, the SOX 404 requirement for public companies in the U.S. environment to obtain assurance regarding management’s assertions on the effectiveness of internal control also would benefit from triangulation. MII should faithfully transform selected EBS into MBR contained in financial statements. Thus, narrowly focusing on evidence of and from an intermediary itself (e.g., the control environment, accounting information system, and control activities) is an inferior approach conceptually relative to focusing on the intermediary together with EBS that the intermediary is supposed to capture and transform, e.g., business operations, risks, and controls, as well as the resulting MBR.65 Concluding Remarks

Today’s integrated audit requires the auditor to develop well-justified beliefs and risk assessments about both the coherence between selected MII and MBR and about their correspondence with underlying EBS. Moreover, for most, if not all, significant audit risks, the prudent auditor will presume that triangulated evidence is needed to develop well-justified beliefs. Of course, planning decisions about evidence are subject to auditors’ professional judgment, and there may be some audit objectives for which triangulated evidence would be unnecessary or impractical.66 Regardless of the extent of triangulation, however, auditors should consider the set of audit procedures that would be expected to yield sufficient appropriate evidentiary support to produce well-justified beliefs and risk assessments. In the end, it is professional judgment, and not hard-and-fast rules, that determines auditors’ decisions on the nature and strength of evidence required with respect to any given audit objective. 65

See Solomon and Peecher [2004].

66

If, for example, the auditor’s professional judgment were that triangulation would be unnecessary to meet a specific audit objective, he or she would perform those procedures judged to be sufficient and move on. The auditor may make such a judgment at times when testing assertions such as the arithmetic accuracy of account balances. For other assertions, however, such as the valuation of accounts receivable or classification of leases as operating or capital, the auditor normally will judge that triangulation is essential.

– 37 –

Chapter Five

Overview of KPMG’s Global Audit Methodology

In preceding chapters, we discussed how audit objectives have evolved in response to changing business conditions and societal accountabilities, and how auditors have adapted their methods to achieve these evolving objectives. We also presented concepts that we believe to be germane to attainment of the high level of quality that society expects from 21st century public company audits. Our earlier discussions largely consisted of explanations of central conceptual ideas and assumptions. In this chapter, we provide an overview of KPMG’s Global Audit Methodology—an integrated audit methodology that embraces concepts presented earlier in this monograph. We do not intend, however, to address implementation details of KPMG’s Global Audit Methodology, nor do we comprehensively cover the methodology itself and how it comports with PCAOB auditing standards or ISAs. Rather, we illustratively present features of the KPMG Methodology, and examples of how these features could be implemented. Auditors use professional judgment to determine the nature, timing, and extent of procedures to be performed on any specific audit engagement, and such Figure 5.1: Audit Workflow Element

Activities

Planning

Perform risk assessment procedures and identify risks A • Determine audit strategy and identify critical accounting matters • Determine planned audit approach

Required Documentation

•

1

• • •

Planning document Entity-level control program Audit programs for specific topics

• • •

Audit programs Financial reporting audit program Audit programs for specific topics

Plan substantive procedures Perform substantive procedures Consider if audit evidence is sufficient and appropriate • Conclude on critical accounting matters

• • • •

Audit programs Financial reporting audit program Audit programs for specific topics Summary of audit differences

Perform completion procedures Perform overall evaluation of the financial statements and disclosures • Form an audit opinion

• • • • •

Completion document Financial reporting audit program Audit programs for specific topics Summary of audit differences Audit checklist

•

2

Understand accounting and reporting activities

Control B • Evaluate design and implementation of selected controls Evaluation • Test operating effectiveness of selected controls •

33

Substantive Testing

4

Completion

A

Assess control risk and ROSM

• • •

• •

Preliminary decision on controls or substantive approach for each audit objective

B 2

– 39 –

Confirm decision on controls or substantive approach for each audit objective

procedures will vary with audit objectives and with attributes of the audited organization and its environment. Accordingly, the examples we present may not be relevant for any given audit engagement. KPMG’s Global Audit Methodology

The KPMG Global Audit Methodology is a unified whole. That said, it is useful to illustrate the workflow in phases. While auditors perform qualitatively different audit procedures during each phase, they continuously are engaged in a cumulative, recursive risk-assessment process. As shown in Figure 5.1, audit procedures may be described in terms of (1) planning, (2) control evaluation, (3) substantive testing, and (4) completion. The audit process is recursive: the findings from risk assessment procedures performed later can trigger a reevaluation of earlier risk assessments and attendant audit objectives.67 Application of Concepts

Figure 5.2 superimposes the KPMG audit workflow onto a diagram depicting many of the conceptual elements discussed in prior chapters. The graphic presented on the left-hand side of Figure 5.2 is a generalized depiction of the steps for an individual risk assessment procedure, or for a set of such procedures executed during the audit workflow. The graphic illustrates that within and across the workflow the auditor performs recursive risk assessments by setting objectives and planning procedures, obtaining and interpreting evidence, forming/revising beliefs and developing expectations, and applying the expectations to identify and assess financial reporting risktriggering conditions and events. The audit team cycles through this process, each time setting new objectives and planning new procedures in response to risk assessments made during the previous cycle. The 3x3x4 cube shown in the center of Figure 5.2 presents the audit risk assessment domain as nine interrelated components for each element of the audit workflow. Each of these nine components represents one of the three fundamental sources of evidence (EBS, MII, and MBR) cross-matched with one of the three levels of magnification (FST, CAB, and ASR) that may be the focus of any given risk assessment procedure. During each element of the audit workflow, the auditor develops an evidence acquisition strategy by considering each of the nine components comprising the audit risk assessment domain and exercising professional judgment to choose the most efficient portfolio of risk assessment procedures that will produce sufficiently well-justified beliefs in response to the overarching objective. Also, as illustrated on the right-hand side of Figure 5.2, the auditor will consider both fraud and error risks when develop67

As discussed earlier, by recursive we mean that over the course of the audit, auditors cycle through the risk assessment process until their beliefs are well justified, i.e., rest on a prudent interpretation of sufficient, appropriate evidence. At this point, DR will have been reduced to an acceptably low level to support an opinion.

– 40 –

ing the evidence acquisition strategy, setting objectives, and planning risk assessment procedures to assess RMW, RMM, and DR in the integrated audit. Figure 5.2: Putting It All Together in the Integrated Audit

FST

EBS

MII

MBR Assessed Risks

CAB

(Fraud & Error)

Assess Risks

Obtain & Interpret Evidence Form/Revise Beliefs, Update the Mental Model, & Develop/Revise Expectations

Workflow Elements

ASR Set Objectives & Plan Procedures

RMW PL

RMM PL

RMW CE

RMM CE

Quality Control

Recursive Risk Assessments

Le ve ls

Evidence of and from

DR PL ?

Planning

DR CE ?

Control Evaluation RMW ST

RMM ST DR S T ?

Substantive Testing RMW CP

RMM CP

Completion

DR CP ?

RMW (Fraud & Error)

The subscripts PL, CE, ST, & CP respectively designate planning, control evaluation, substantive testing, and completion

Figure 5.2 further presents some of the interdependencies (see arrows) among risk assessments within the workflow, and illustrates that, within each element of the workflow, the auditors exercise professional judgment to assess and manage the DR associated with the chosen set of objectives, and plan and execute the recursive risk assessments. The auditors understand that DR, and especially non-sampling risk, must be sufficiently well controlled throughout the audit workflow. As an illustration, if planning risk assessments were inadequate, undesirable effects potentially could cascade through the other elements of the audit workflow. If the risk of major customer disputes over accounts receivable were to be underestimated during planning, for example, procedures designed to be responsive to planning risk assessments may not reduce DR with respect to accounts receivable valuation to an acceptably low level. Effective audit quality control, therefore, necessitates the auditors’ timely evaluation of whether the cumulative evidence obtained during each element of the audit workflow is sufficient and appropriate for the objective at hand and facilitates the auditors’ development of well-justified beliefs. Application of Concepts: Specific Workflow Elements

During planning, an auditor uses beliefs based on his or her industry expertise, prioryear experiences with the client, and general auditing and accounting knowledge to

– 41 –

plan a portfolio of risk assessment procedures. The composition of this portfolio is a matter of professional judgment, but it ordinarily includes a mix of holistic and relatively pointed risk assessment procedures (e.g., updating the understanding of entity strategies and objectives, and selective analyses of the entity’s business process performance in a new distribution channel). These procedures provide the auditor with evidence about selected EBS, MII, and MBR. The auditor assimilates such evidence into his or her developing mental model and, based on this model, forms preliminary assessments of RMW, RMM, and DR. These evidence-driven, beliefbased risk assessments help the auditor devise the initial audit plan.68 Later in the audit workflow, of course, the auditor implements and monitors the effectiveness of the audit plan. Specifically, the auditor frequently reassesses and responds to reassessed risks until in the auditor’s professional judgment, DR has been managed to an acceptably low level. Importantly, throughout the audit workflow, the audit team prepares sufficient documentation of the recursive risk assessments as they unfold to enhance audit effectiveness. In Chapter Six we present further discussion of planning risk assessments and examples of applications of the conceptual elements discussed earlier in the monograph. The overarching objectives for control evaluation are to obtain additional evidence of and from EBS, MII, and MBR to understand accounting and reporting activities within significant classes of transactions and account balances, and to evaluate the design, implementation, and operating effectiveness of selected internal controls. The auditor obtains this evidence to update the assessment of RMW and to assess the risk of significant misstatement (ROSM) and residual DR at the CAB and intrinsic assertions levels.69 In Chapter Seven we elaborate on control evaluation risk assessments and present examples of how the concepts discussed earlier may be applied during control evaluation. During substantive testing, the auditor plans and performs procedures to address the risk assessments made during planning and control evaluation (i.e., RMW, ROSM, and DR). After performing substantive tests at the assertions level, the audit team 68

The plan also includes accounts that the auditor judges to be subject to special audit considerations or to be significant. Within the KPMG Global Audit Methodology, an account is deemed to be significant if, in the auditor’s judgment, there is more than a remote likelihood that the account could contain misstatements that individually or when aggregated with others could have a material effect on the financial statements, considering the risks of both overstatement and understatement. Accounts may be significant on a qualitative basis based on the expectations of a reasonable user of the financial statements. The assessment as to likelihood is made without giving consideration to the effectiveness of internal control. Significant accounts may be financial statement captions or disaggregated components of financial statement captions consisting of one or more general ledger accounts.

69

ROSM is the term used in KPMG’s Global Audit Methodology to represent assessed residual RMM after control evaluation but before substantive testing. The reason for the change in terminology is that, usually, the KPMG auditor plans substantive tests at the assertions level using a detection threshold criterion that is lower than the materiality threshold applicable at the overall financial statement level. A lower significance threshold is needed for assertionslevel risk assessments because at that level the auditor assesses the risk that misstatements, when aggregated, may be material even though individual misstatements may not meet the materiality threshold.

– 42 –

updates the assessment(s) of DR by considering whether the cumulative evidence obtained is sufficient and appropriate to support post-testing assessments that residual ROSM is at an acceptably low level. During completion, the auditor designs and performs various analyses (including analytical procedures) to make final assessments of RMW, RMM, and DR at the FST, CAB, and ASR levels, and to evaluate whether supplemental disclosures are adequate and complete. Finally, the auditor synthesizes the cumulative evidence obtained during the recursive risk assessment process, considers whether sufficient and appropriate triangulated evidence has been obtained to assess and address all significant audit risks, and judges whether the beliefs on which the final risk assessments rest are sufficiently well justified. Also, the audit team will conclude on specific topics, such as going concern uncertainties, potential illegal acts, and litigation and claims involving the entity, and perform a final evaluation of any fraud-related matters. In Chapter Eight, we present examples of how the auditor might apply the conceptual elements discussed earlier during substantive testing and completion.

– 43 –

Chapter Six

Planning Risk Assessments

The audit team often begins planning risk assessments during the first or second quarter of the entity’s fiscal year. Consequently, the evidence available to the auditor of and from EBS, MII, and MBR is not yet complete with respect to the annual financial statement amounts that ultimately will be subjected to audit. Figure 6.1 depicts linkages among the key activities undertaken during audit planning. As illustrated, the auditor designs and executes procedures to obtain evidence of and from EBS, MII, and MBR to update his or her business understanding. Based on the updated business understanding, the auditor develops expectations by considering potential drivers of elevated RMW and RMM, and makes preliminary risk assessments at the three levels of magnification—FST, CAB, and ASR. RMW and RMM are decomposed into fraud and error risks in Figure 6.1, because specific fraud procedures may be needed to address characteristics of fraud (e.g., concealment) that may not be addressed sufficiently if auditors were to perform only error-oriented procedures. Figure 6.1: Planning Assessments of RMW, RMM, and DR Evidence of and from

Prior Prior Evidence Evidence

Evidence

EBS

el s Le v

Procedures to Update Business Understanding

MII

ASR

Revise Beliefs

Updated Business Understanding

Planning

(Changes in Conditions)

RMW (Fraud & Error)

Apply Understanding to Assess Risks F/S Level Risk Assessments Going Concern

Risk of Fraud

MBR

FST CAB

(Pervasive Financial Reporting Risks)

Risk of Error

Risk of Fraud

Risk Assessments at CAB & ASR Levels (Inherent Risks) Risk of Error

Responses - Specific Assertions

Overall Response

Additional Responsive Procedures (Control Evaluation & Substantive Tests)

Significant routine classes of transactions Significant and unusual transactions Significant accounting estimates and other valuations Other account balances Significant matters that may require disclosure

C E A V O P

– 45 –

RMW, RMM & DR

During planning, the auditor may identify a variety of financial statement components to which additional procedures will be applied during control evaluation and substantive testing to refine assessments of RMW and RMM and manage DR. Such components generally include significant routine classes of transactions, significant and unusual transactions that either already have occurred or that management has plans to execute before fiscal year-end, accounting estimates and other highly judgmental valuations, other account balances with elevated preliminary assessments of RMW and RMM, and significant matters that may require disclosure. The auditor will consider specific management assertions within these components to plan, allocate resources, and coordinate responsive risk assessment procedures.70 Also, to address pervasive risks, such as RMM due to fraud or pervasive RMW due to control environment attributes, the auditors’ evidence acquisition strategies may include using more experienced personnel, using specialists (e.g., industry, IT, and forensics specialists), and obtaining more evidence of and from EBS. To illustrate the latter, the auditor may inquire of key operating personnel within the entity but working outside of the accounting department, key customers of the entity, or key personnel working Figure 6.2: Examples of Evidence of and from EBS, MII, and MBR for Planning Assessments of RMW, RMM, and DR EBS

MII

MBR

Relevant Industry, Regulatory, and Other External Factors

Applicable Financial Reporting Framework

Financial Statement Level

General economic conditions Industry competition Customer and supplier relationships Technological developments Applicable laws and regulations Other relevant external forces Entity Objectives, Strategies, and Related Business Risks

Overall business plans and recent changes Operational approaches - New products and product-line extensions - Moves into new geographical markets - Mergers and acquisitions - Alliances, SPEs, and other unusual affiliates - Tax strategies Related business risks Nature of the Entity

Ownership structure Governance Entity’s operations (e.g., business process performance) Significant investment and financing activities Service organizations Related parties

70

Entity’s Selection and Application of Significant Accounting Policies

Methods used for significant and unusual transactions Significant accounting policies and practices adopted by the entity, including for controversial or emerging areas Entity changes in accounting policies and application methods and reasons for changes

Control Environment

Governance and management roles, attitudes, and actions Organizational culture Management’s risk appetite Entity’s risk assessment process Instances or concerns of misconduct or unethical behavior Internal audit function Controls established by corporate governors and managers to prevent and detect fraud

Financial key performance indicators (FKPIs) developed from interim F/Ss Budgets and variance analyses for interim periods and full year Segmental, divisional, departmental, and other level performance reports Non-financial performance indicators correlated with financial statement amounts and ratios Representations made to analysts, press releases, etc. Significant Classes of Transactions and Account Balances, and Significant Disclosures

Routine classes of transactions Significant and unusual transactions Significant accounting estimates and valuations Other account balances Significant matters that may require disclosure Assertions within Classes of Transactions, Account Balances and Disclosures

Completeness, existence, accuracy, valuation, rights and obligations, and presentation and disclosure

As shown in Figure 6.1, the KPMG Global Audit Methodology uses the acronym CEAVOP to represent six management assertions: completeness, existence, accuracy, valuation, obligations and rights (i.e., ownership), and presentation and disclosure.

– 46 –

within the entity’s supply chain, and may introduce the element of surprise, such as unannounced visits to locations or performing unexpected additional procedures. The box presented in the upper right-hand corner of Figure 6.1 shows that the auditor considers each of the three sources of evidence, EBS, MII, and MBR, and each of the three levels of magnification, FST, CAB, and ASR, when developing the evidence acquisition strategy for risk assessments during planning. Just as when driving a car from point A to point B, we continually scan the environment and our senses pick up any unusual obstacles or events that might place us in harm’s way, so, too, during the typical public company audit the auditor continually monitors the entity and its environment for financial reporting risk-triggering conditions and events. Figure 6.2 presents examples of EBS, MII, and MBR elements that the auditor may decide to monitor during planning. Once such a decision is made, the auditor generally continues such monitoring throughout the audit workflow. We next present examples of how the auditor might lever evidence for particular elements presented in Figure 6.2 to make assessments of RMW and RMM at the FST level. Planning Risk Assessments at the FST Level

Auditors’ preliminary assessments of RMW and RMM during planning include identification and assessment of pervasive risks at the FST level. Pervasive FST-level risks emanate from conditions and events that may jeopardize the entity’s ability to continue as a going concern or that may indicate the presence of significant incentives and pressures bearing down on management that may elevate the risk of material misstatement due to fraud. Pervasive risks also arise from conditions and events within the entity’s control environment that may elevate RMW. These conditions and events include opportunities for management override of controls, management attitudes and rationalizations that can elevate the risk of fraud, and other pervasive material control weaknesses, such as ineffective controls over centralized processing in shared-service environments. As shown in Figure 6.2, elements in EBS that the auditor may monitor for the purpose of assessing FST-level risks are numerous. As one example, relevant macroeconomic factors may be inflation and interest rate trends, both of which may trigger concerns about the appropriateness of the presentation and disclosure of hedging activities. As another example, if an entity were to change its corporate governance structure, making more members of the board independent and adding more financial expertise, the auditor may be less concerned about management’s ability to convince the board to adopt overly aggressive accounting policies. The auditor also may monitor numerous elements of MII and MBR. As an MII example, the auditor may monitor the scope and competence of the internal audit

– 47 –

function. If the internal audit department were to suffer significant turnover of key employees, the auditor may be more reluctant to rely on the work of internal auditors. Examples of MBR that the auditor may monitor are non-financial key performance indicators (KPIs) and other information that management uses for business control purposes (e.g., number of new stores and geographic reach statistics for an entity that has an organic growth-management business process). Such indicators and other information may be correlated with financial and non-financial amounts included in MBR. Importantly, auditors do not make independent assessments of RMW and RMM for each of these critical elements. Rather, an auditor uses the evidence obtained from monitoring these elements to update his or her mental model of the entity and its environment. The auditor’s mental model, embodying the combination of ingredients, and an understanding of how they interrelate, is the source from which expectations are brought forth about financial-reporting risk-triggering patterns of conditions and events, as well as expectations of changes in financial measures over the reporting period. This mental representation of relevant EBS, MII and MBR, and their interrelationships, also is brought forth and applied as context by the auditor when he or she evaluates other audit evidence. Reasonableness Tests on Financial KPIs (FKPIs)

Assessing the reasonableness of FKPIs using evidence obtained of and from EBS and MBR can be a valuable complementary risk assessment approach, even when the inherent precision of the expectation is less than ideal for a substantive analytical procedure. Such attention-directing procedures can indicate elevated RMM even when they do not produce precise point estimates for specific account balances or ratios. The auditor may make reasonableness assessments of FKPIs at several key junctures throughout the client’s annual reporting period, e.g., at planning, during reviews of quarterly financial reports, during substantive testing of significant CABs, and during completion. When performing these reasonableness assessments, the auditor usually will include those FKPIs that analysts and other users study to evaluate the entity’s financial performance. These composite measures are management representations of concern to users, and assessing their reasonableness in light of changing business conditions can indicate elevated RMM that also may be perceived by outside users. In addition, such assessments might indicate elevated RMM that other details-oriented procedures do not reveal. Importantly, the auditor does not limit these attention-directing analytical procedures to mere comparisons of current-year and prior-years’ account balances and ratios. Such comparisons implicitly assume that last year’s composite representations constitute relevant and reliable expectations for current-period representations. A search for unusual fluctuations in account balances and ratios in that – 48 –

manner would be incomplete. A sufficiently rich mental model is needed to develop expectations about how accounts and ratios would be expected to fluctuate in response to changing EBS, and when the interim and annual MBRs do not reflect expected fluctuations RMM may be elevated. Therefore, the auditor runs his or her mental model, which leverages evidence of and from EBS to develop expectations to assess the reasonableness of FKPIs. Also, the auditor will consider performing additional procedures in response to both the presence of unusual fluctuations in account balances and ratios and the absence of expected significant fluctuations in the MBRs. Examples of FKPIs for which the auditor may apply EBS-based reasonableness assessments are: • Sales growth • Changes in: – Other key account balances – Composition of the balance sheet and income statement (i.e., comparative common-size financial statements) – Operating margins – Asset turnover measures (e.g., receivables, inventory, fixed assets) – Ratio of operating cash flow to operating income – Proportion of bad debt expense to sales revenue – Levels of discretionary accounting accruals • Comparable measures at the segment, divisional, or other levels Other potentially useful EBS-based reasonableness assessments may involve the auditor’s leverage of evidence on the entity’s structure and operations. For example, the auditor could compare total productive capacity for a specific line of business or a particular product line over a given period of time (e.g., a fiscal quarter), with related amounts included in MBR, e.g., the total number of units sold (total sales divided by average unit price). Similarly, reasonableness assessments can be made for inventory by comparing peak inventory levels with total warehouse capacity. Another potentially useful source of evidence for auditors’ reasonableness assessments is entity budget information, including information contained in periodic variance analyses. Interim and annual budget information assembled using mostlikely future EBS scenarios can provide the auditor with reasonable expectations for composite MBRs at the entity, segment, divisional, product line, or other levels. Also, although Figure 6.2 includes budget and variance information in MBRs, as it is typically the source of information management uses to provide analysts with periodic earnings forecasts, such information also is an important ingredient for effective management control over business processes, including performance eval-

– 49 –

uations for operating personnel. When such information reflects extreme stretch goals, and not most-likely future EBS scenarios, there may be an elevated risk of fraud, especially if management is providing earnings forecasts to analysts based on such information. Therefore, the auditor may also perform reasonableness assessments on budget and variance information by obtaining EBS-based evidence to develop expectations of most-likely future EBS scenarios and comparing such expectations with key assumptions used to develop budgets. Preliminary Assessments of RMW

During planning, the auditor also leverages evidence of and from EBS, MII, and MBR to update his or her understanding of entity-level controls, evaluate the design and implementation of selected controls, and make a preliminary assessment of RMW. Entity-level controls are those components of internal control that are pervasive across an entity and therefore do not pertain exclusively to specific CABs or ASRs. These components include the control environment, entity-wide risk assessment process, information systems and communication, and control monitoring activities.71 Evaluating the design of an entity-level control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing or detecting and correcting material misstatements. Evaluating the implementation of a control involves determining whether the control exists and is used by the entity. The procedures applied to make these evaluations will involve evidence of and from the three fundamental sources. Examples of such procedures include inquiries of entity personnel (EBS and MII), observing the application of specific controls (EBS and MII), inspecting relevant internal documents and reports (MII), and tracing transactions from their point of origin in the entity’s business processes (EBS) through the information systems (MII) and to the composite MBRs (i.e., walkthroughs). As mentioned earlier, components and characteristics of the control environment that may be evaluated by the auditor include management’s and corporate governors’ roles, attitudes, and actions pertaining to financial reporting risk control; the tone at the top and whether management has created and maintained a culture of honesty and ethical behavior; and whether specific controls have been established by managers (with oversight of corporate governors) to prevent and detect material fraud and error. Importantly, the auditor will consider whether open channels exist for upstream communications by personnel of perceived instances of accounting error or allega71

KPMG’s Global Audit Methodology has adopted the five components of the COSO Internal Control-Integrated Framework to guide the auditor’s control evaluation activities: (1) control environment, (2) risk assessment process, (3) information and communication, (4) control activities, and (5) monitoring of controls.

– 50 –

tions of fraud. Typically, these evaluations are made through inquiries of management, those charged with governance, and other entity personnel (e.g., the chief ethics officer and certain operating personnel). In certain situations, the auditor may deem it helpful to make inquiries of persons outside the organization, e.g., key suppliers and customers, in an attempt to corroborate with evidence from EBS the representations made by management or those charged with governance. The auditor evaluates the entity’s risk assessment process by considering how management identifies and assesses the business risks relevant to financial reporting, and decides upon actions to manage them. The auditor will identify the business risks management has earmarked as being relevant to the financial statements and disclosures, and assess whether they may result in material misstatement. If, during the remainder of the audit, the auditor identifies specific risks of material misstatement that management failed to identify, he or she considers whether any related business risks should have been identified by the entity’s risk assessment process, and if so, the implications such failures have on the portfolio of evidence that the auditor may want to acquire to reduce DR to an acceptably low level. When evaluating the entity’s information system and communications relevant to financial reporting, the auditor evaluates the design and implementation of financial reporting procedures, relevant computer information systems, sources of information for individual transactions included in CABs, and relevant controls over the initiation, authorization, recording, processing, and reporting of transactions. Also, the auditor evaluates the major activities the entity undertakes to monitor internal control over financial reporting and whether and how the entity initiates corrective actions to its controls. In many entities, internal auditors or personnel performing similar functions contribute to the monitoring of the entity’s activities. Management’s monitoring activities may also include using evidence of and from EBS, e.g., communications from external parties, such as customer complaints and regulator comments that may indicate problems or highlight areas in need of improvement. Elevated RMW at the entity level will usually lead to modification of procedures performed throughout the remaining audit workflow, including application of more procedures at period-end, modification of the nature and extent of substantive procedures to obtain more persuasive evidence, increase in the number of locations audited, and so on. Also, the assessed RMW will impact the auditors’ planned approach for control evaluation. For example, tests of the operating effectiveness of selected controls at the CAB and ASR levels may be planned when entity-level controls are judged to be appropriately designed and implemented. When a limited number of deficiencies in entity-level controls have been identified, the auditor will usually consider the effect of such deficiencies on the planned audit approach at the ASR level.

– 51 –

Planning Risk Assessments at the CAB and ASR Levels

The arrows in Figure 6.1 that link FST-level risk assessments to CAB- and ASR-level risk assessments indicate that pervasive risks identified and assessed at the FST level often also will indicate risks in CABs and ASRs. For example, as the auditor contemplates financial reporting risks associated with an entity’s recent strategic changes (e.g., movement into new and untested geographic markets), the auditor may conclude that specific CABs also likely present heightened RMW and RMM (e.g., hiring new, less-experienced personnel in a new location may increase RMW and RMM in CABs for that location). Or, as the auditor learns about strategies and related business plans that management has communicated to the investment community, and assesses whether the expectations created by such communications may pressure management—thereby elevating the risk of fraud—such assessments may indicate specific account balances and disclosures investors will scrutinize to evaluate financial consequences resulting from implementation of the strategies and plans. Figure 6.1 also shows that the updated business understanding provides the basis for more direct risk assessments at the CAB and ASR levels. For example, evidence of new business and accounting practices used in the client’s industry, and their associated risks, will inform the auditor about specific account balances and classes of transactions that present significant risk. Also, measurement and review of the entity’s interim financial performance, and assessment of whether it appears reasonable in light of recent changes in EBS, may direct the auditor’s attention to specific account balances for which changes over the interim reporting period do not appear reasonable. The auditor will lever evidence obtained of and from EBS to understand the business purposes, and identify and assess the inherent business risks, for significant and unusual transactions. Further, the auditor will use EBS-based evidence to develop expectations for changes in accounting estimates and other highly judgmental valuations, such as management’s consideration of the possibility of impairment of assets. The auditor also exercises professional skepticism by assessing the risk of management bias in accounting estimates and valuations using EBS-based expectations. Finally, as mentioned earlier, the auditor will consider specific management assertions within those CABs presenting significant RMM to plan, allocate resources, and coordinate responsive risk assessment procedures.

– 52 –

Chapter Seven

Control Evaluation

During control evaluation, the auditor uses triangulation to refine the preliminary assessment of RMW made during planning and to build on the preliminary assessment of RMM by assessing residual ROSM at the CAB and ASR levels. Specifically, as illustrated in Figure 7.1, the auditor levers evidence of and from EBS, MII, and MBR, each at the three levels of magnification, to revise his or her beliefs about the degree to which MII faithfully transform selected EBS for ultimate presentation in financial statements in accordance with an applicable financial reporting framework. If, during control evaluation, the auditor acquires sufficient evidence to justifiably believe that MII (including, e.g., relevant accounting activities and entity-level controls) reliably effect such a transformation, the auditor may become more comfortable with a portfolio of substantive tests that do not heavily lever further comparisons between EBS- and MBR-based evidence. If, instead, acquired evidence suggests MII are not working sufficiently well, the auditor is likely to want to ensure that subsequent substantive tests heavily lever comparisons between EBS- and MBR-based evidence.72 Figure 7.1: Control Evaluation for Assessments of RMW, ROSM, and DR Plan Additional Responsive Procedures

Le v

el s

Evidence of and from EBS

MII

FST CAB

MBR Updated RMWs (Fraud & Error)

ASR

Entity-Level RMWs

Control Evaluation RMW (Fraud & Error)

CAB-Level RMWs Assertions-Level RMWs

Significant routine classes of transactions Significant and unusual transactions Significant accounting estimates and other valuations Other account balances Significant matters that may require disclosures

ROSM and DR at the ASR Level

C E A V O P Additional procedures responsive to ROSM (Including fraud procedures when appropriate)

Integrate evidence from Planning and Control Evaluation risk assessments to update beliefs and assess ROSM and DR at the ASR level

72

The auditor will plan to test and rely on controls for assertions for which substantive testing alone will not provide sufficient appropriate audit evidence. For certain assertions not associated with a significant risk, including fraud risk, and for which the auditor determines that it is possible and practical to obtain sufficient additional audit evidence from substantive tests only, the auditor will still both evaluate the design and implementation of entity-level controls and obtain an understanding of relevant accounting activities (see, e.g., ISA 315, paragraphs 115-118).

– 53 –

During control evaluation, the auditor levers preliminary expectations and other beliefs that he or she developed from EBS-, MII-, and MBR-based evidence acquired during planning. During planning, the auditor may have learned of changes in EBS that management should carefully monitor within MII but may have an incentive to de-emphasize. For example, a biopharmaceutical entity may have a competitor that is currently experiencing a sudden and steep upsurge in threatened litigation. The competitor may be removing an extremely popular prescription drug from the market due to a recent trend of severe reactions, including patient morbidity. The auditor would derive comfort to the extent that information systems in MII capture and track whether relevant segments of the client’s drug portfolio are producing or likely will produce similar reactions in patients. To the degree that information systems in MII track relevant KPIs and FKPIs, it is more likely that the entity’s internal control over financial reporting will have the capacity to ensure that such information is transformed into a proper, reliable estimation of any similar contingent liabilities that, if appropriate, are accrued. To the degree that MII do not track such indicators, however, the auditor may elevate ROSM, including risks of fraud (e.g., purposeful understatement of contingent liabilities). Assessing RMW and ROSM at the CAB and ASR Levels

As shown in Figure 7.2, when evaluating controls concerning significant routine classes of transactions, the auditor typically will obtain evidence of and from each of the three evidentiary sources—EBS, MII, and MBR. For example, when updating the understanding of key information processing activities, the auditor will perform walkthroughs commencing at the point at which transactions are initiated within business processes (EBS) and continuing with the auditor’s tracing of related information through MII to composite MBR. To refine the planning assessments of RMW and to assess ROSM for the completeness and accuracy assertions, the auditor will usually obtain evidence of and from relevant business process activities (EBS) to identify and assess significant risk points associated with the initiation of information processing activities. KPMG’s Global Audit Methodology defines a significant risk point as a point in the entity’s accounting activities at which there is more than a remote likelihood that a misstatement (including fraud) could occur that, individually or in the aggregate, exceeds the significant misstatement threshold established by the auditor. Also presented in Figure 7.2, relevant information processing activities and attributes (i.e., MII) for routine classes of transactions include the people, policies, procedures, information systems, tools, and templates by which transactions are initiated, authorized, recorded, processed, and reported in the financial statements, and other activities that capture economic conditions and events that impact the measurement and recognition of such transactions. When evaluating the design and

– 54 –

Figure 7.2: Triangulation to Assess RMW and ROSM for Routine Classes of Transactions Evidence for Updating Beliefs to Assess RMW & ROSM

EBS

Supporting Details to

MII Activities

(Including Business Processes)

Fraud Risk?

Initiate

Authorize

Record

Process

Report

People Policies (including applicable FR framework) Accounting and other information systems Business forms and documents Other

MBR

Error Risk?

Understand information processing activities—walkthroughs from the point of initiation within business processes to the composite MBRs Identify “significant risk points”—points in the entity’s accounting activities at which there is more than a remote likelihood that a misstatement (including fraud) could occur that, individually or in the aggregate, exceeds the significant misstatement threshold Evaluate the design and implementation of controls over significant risk points, including controls over the risk of electronic manipulation of data Test the operating effectiveness of controls, where warranted

implementation of controls for significant routine classes of transactions, the auditor considers how the control is designed, performed, and documented, how often it is applied, the nature and significance of misstatements it is likely to prevent or detect, and the competence and experience of the person(s) who perform the controls. The procedures used to make these evaluations may include inquiries of businessprocess managers and other entity personnel, inquiries of major customers and personnel within the entity’s supply chain, observation of the application of specific controls within business processes, and inspection of relevant internal documents and reports. Figure 7.3 highlights some of the key control activities and attributes involved in the entity’s preparation and reporting of accounting estimates and disclosures. Again, the auditor’s evidence acquisition strategy for evaluating controls over significant estimates and disclosures will involve consideration of the three fundamental sources of evidence. The auditor obtains an understanding of (1) relevant attributes of the amounts, including pertinent business risks and related controls, (2) key assumptions that determine the estimates and disclosures, (3) whether there appear to be sources of management bias for individual estimates or many estimates taken collectively, (4) competence of the estimator and the complexity of the estimation process, (5) quality of the information used in the estimation process, (6) the estimate’s historical accuracy, and (7) the estimate’s inherent level of uncertainty.

– 55 –

Figure 7.3: Triangulation to Assess RMW and ROSM for Accounting Estimates and Disclosures Evidence for Updating Beliefs to Assess RMW & ROSM Supporting Details to

MII

EBS Key Assumptions

Fraud Risk?

Estimation Model

MBR

Process

People Policies (including applicable FR framework) Accounting and other information systems Business forms and documents Other

Error Risk?

Understand EBS relevant to the estimate or disclosure Understand key assumptions that determine estimates and disclosures, and reconcile with EBS understanding: Key Assumptions missing? Apparent bias in the choice and weighting of assumptions? Etc. Assess competence of the estimator and complexity of the process Assess quality of the input information Assess historical accuracy and inherent level of uncertainty

Finally, for other account balances where responsive audit objectives do not involve classes of transactions, the relevant activities understood by the auditor to assess RMW are those activities carried out by the entity to ensure the amounts are not materially misstated. For those activities involving or being impacted by computer information systems, the auditor obtains an understanding of the procedures used by the entity to manage the risk of electronic manipulation of underlying data, amounts in the general ledger, or financial statement account balances without creating separately identifiable journal entries. When the computer information systems are complex, the auditor often also obtains an understanding of the systems environment and assesses whether it presents significant inherent and control risks. For computerized information systems, general IT controls are policies and procedures that support the effective functioning of application controls at the business process level and maintain the integrity of information and security of data. These policies and procedures include a variety of MII, e.g., controls over data center and network operations; system software acquisition, change, and maintenance; access security; and application system acquisition, development, and maintenance. Application controls are MII operating within a business process, including controls over the initiation, authorization, recording, processing, and reporting of transactions and other financial information in CABs, and ultimately within composite amounts reported in financial statements and possibly other MBR.

– 56 –

Testing the Operating Effectiveness of Selected Controls

When planning tests of the operating effectiveness of controls, e.g., to determine the extent to which EBS-based evidence is levered during substantive testing, the auditor generally will consider only those controls that he or she expects to be effectively designed and implemented by the entity. Tests of operating effectiveness will involve obtaining sufficient appropriate evidence of and from EBS, MII, and MBR on how the controls actually were applied, whether they were applied consistently over the course of the period under audit, by whom they were applied, and whether they completely and faithfully transform EBS into MBR. Additional risk assessments made during substantive testing and completion may produce evidence that reveals the existence of material weaknesses. Such evidence may prompt the auditor to revise his or her beliefs; update the assessments of RMW, RMM, and DR; and reconsider whether critical audit objectives thought to have been achieved previously need to be addressed further. Control Evaluation Results

During control evaluation, the auditor will synthesize the assessments of RMW and RMM made during planning and control evaluation into assessments of ROSM at the assertions level. The auditor will exercise professional judgment to determine the nature, timing, and extent of the substantive risk assessment procedures, including fraud procedures when warranted, that he or she believes will lead to final updated assessments of RMW and RMM that rest on sufficiently well-justified beliefs (i.e., DR has been reduced to an acceptably low level). In some jurisdictions (e.g., public companies in the United States), auditors will consider the RMW as of the date of management’s assessment of internal control over financial reporting for the purpose of rendering an opinion on management’s assertions on the operating effectiveness of internal controls.

– 57 –

Chapter Eight

Risk Assessments During Substantive Testing and Completion

Risk Assessment During Substantive Testing

The recursive risk-assessment process continues during substantive testing, as the auditor designs and performs tests responsive to the assessed ROSM pertaining to specific assertions. As illustrated in Figure 8.1, such tests include substantive analytical procedures or tests of the details supporting specific classes of transactions or account balances, or a combination thereof. Both classes of substantive tests draw on three fundamental sources of evidence—EBS, MII, and MBR. Figure 8.1: Substantive Testing Risk Assessments

Le v

el s

Evidence of and from EBS

MII

MBR

FST CAB

ASR

APs, Presentation, Etc.

Substantive Testing

APs & TDs

Significant routine classes of transactions Significant and unusual transactions Significant accounting estimates and other valuations Other account balances Significant matters that may require disclosure

APs & TDs RMW (Fraud & Error)

Integrate evidence from Planning, Control Evaluation, and Substantive Testing risk assessments to update beliefs and assess residual RMW, ROSM, and DR (especially non-sampling risk) at the ASR level

An analytical procedure entails developing a mental model that, when run, provides the auditor with an expectation for an account balance (or portion thereof) or for relationships among account balances (often in the form of ratios). Such a model is developed through the study of plausible relationships among financial and nonfinancial data. The auditor then compares the expectation produced by the model with the associated unaudited amount, and uses professional judgment to update the assessment of the ROSM based on the observed difference, as well as residual DR (principally non-sampling risk). When performing an analytical procedure, the auditor considers the reliability of the underlying data used to generate the expectation. For example, for data obtained from the entity’s management, the auditor would consider whether relevant internal controls, including controls over possible management override, are operating effectively. Analytical procedures can target the CAB or ASR levels and, if used to assess the overall reasonableness of financial key perform-

– 59 –

ance indicators derived from amounts presented in the financial statements (e.g., operating margins or return on assets), they can target the FST level (e.g., comparison of asserted revenue and scale of operations to industry-wide revenue and other market share information). Tests of details involve application of one or more techniques to individual items or transactions contained in an account balance, class of transactions, or accompanying disclosures, thereby targeting the CAB or ASR levels. Tests of details may involve evidence of and from MII (e.g., inspection of supporting records or documents such as sales invoices), evidence of and from EBS (e.g., observation of the production or construction of physical assets or examination of acquired or stored physical assets, confirmations obtained from independent outsiders), as well as evidence of and from MBR (e.g., recalculations of subtotals and composite amounts). The items selected for a test of details may comprise 100 percent of the items contained in the account balance or class of transactions, or a sample of such items. When testing a sample of items, the auditor develops an expectation for the associated population by projecting the sample results to the population, with an appropriate allowance for sampling risk. The auditor exercises professional judgment to update the assessment of ROSM for the population and the post-testing assessment of DR (particularly non-sampling risk). When designing the nature, timing, and extent of substantive tests the auditor considers numerous matters including: • Specific assertion-level risks identified during planning and assessed ROSM for the assertion being tested • Relevant characteristics of the particular class of transactions or the nature of the specific account balance or disclosure, and the specific assertions covered by the audit objective • Any significant risk points related to the underlying information processing activities • Whether a risk of fraud has been identified When the auditor has identified a fraud risk, he or she exercises professional skepticism by considering benefits of designing and executing additional audit procedures to produce stronger forms of triangulated evidence. Consistent with U.S. authoritative guidance, these additional audit procedures and evidence potentially would reflect three basic, related responses to address identified fraud risks (see, e.g., SAS 99). One response is for the auditor to modify the overall audit approach. This overall response could include several facets such as assigning additional professionals with information technology and forensic auditing skills, including a greater number of unpredictable substantive tests (e.g., visit operating or inventory storage locations unannounced), and heightening supervision of subordinate auditors.

– 60 –

An additional response to address identified fraud risks would be for the auditor to consider altering the nature, timing, and extent of substantive tests at the FST, CAB, or ASR levels. The nature of substantive testing could be modified, for example, to include additional independent evidence of and from EBS (e.g., confirming the terms of contracts with major customers via inquiries of those customers). Timing could be shifted to near, or even after, the year-end (e.g., wait for cash collections from major customers), and the extent of testing could be increased by using a larger sample size for tests of details, performing analytical procedures on a more disaggregated basis (e.g., break down sales by finer geographical or product-line partitions), or performing combinations of tests of details and analytical procedures. Yet another related response to identified fraud risks would be for the auditor to consider designing and performing additional substantive tests specifically targeted to detection of potential management override of internal controls at the CAB or ASR levels. Such tests could include increasingly detailed examination of evidence in support of journal entries to complex accounts (e.g., pension reserves) or accounts prone to error in prior years. Of course, the auditor also should consider the possibility of making increasingly detailed examinations of less complex accounts or accounts not prone to error since strategic members of management may use any number of accounts for concealment purposes. Finally, such tests could include elevated examination of evidence in support of journal entries made during the year and/or near year end for unusual activity (e.g., accounts being debited that normally are credited, atypical accounts being used in an adjusting entry, adjustments made by individuals normally not associated with the financial reporting process, and other forms of nonstandard journal entries). The substantive testing phase ends when, in the auditor’s professional judgment, the assessed ROSM, RMW, and DR at the ASR level are acceptably low, and, in the auditor’s professional judgment, such assessments rest on beliefs that are well justified in light of an appropriately strong portfolio of triangulated evidence. Risk Assessment During Completion

During completion, the audit team should be armed with sufficient and appropriate triangulated evidence of and from EBS, MII, and MBR to make final assessments of RMW, RMM, and DR at the FST, CAB, and ASR levels. Such evidence will include the general-purpose financial statements management proposes to disclose to the public and supporting details and all of the evidence obtained throughout the audit to update the audit team’s understanding of the entity and its environment, including its internal controls. It also will include documentation on the significant judgments made by the audit team throughout the recursive risk assessment process, including

– 61 –

the objectives set by the team during the audit workflow, the risk assessment procedures that were planned and applied, the evidence that was obtained, and ensuing conclusions on assessed risks and related responses. As indicated in Figure 8.2, the auditor will lever this portfolio of evidence to perform final analyses and make final risk assessments at the FST, CAB, and ASR levels, including analytical procedures to assess the reasonableness of patterns and trends within the annual financial statements in light of the auditor’s understanding of recent changes in EBS. Particular attention will be directed to those financial statement key performance indicators that analysts, investors, and other users study to assess the entity’s financial performance.73 Also, the portfolio of evidence will be levered to assess the adequacy and completeness of supplemental disclosures provided in the footnotes to the financial statements. Figure 8.2: Completion Risk Assessments

Le

ve

ls

Evidence of and from FST

EBS

CAB

ASR

Completion

MII

MBR Final Assessments of RMW, RMM, and DR at FST, CAB, and ASR Levels

Significant routine classes of transactions Significant and unusual transactions Significant accounting estimates and other valuations Other account balances Significant matters that may require disclosure

RMW (Fraud & Error)

Final Assessments of RMW, RMM, and DR, & Communications Final analytical procedures Adequacy of disclosures Final independent review of significant judgments underlying risk assessments Communication of significant matters to management and corporate governors

Professional judgment exercised to synthesize evidence obtained throughout the recursive risk assessment processes and decide whether beliefs and risk assessments are well justified and form the basis for an opinion

Once the final assessments of RMW and RMM have been performed, the auditor exercises professional judgment to synthesize the evidence obtained throughout the recursive risk assessment process and make final assessments of DR at the ASR, CAB, and overall FST levels. These final DR assessments entail the audit team’s evaluation of whether sufficient and appropriate triangulated evidence has been obtained to form the basis for the opinion on financial statements (i.e., whether beliefs and risk assessments are sufficiently well justified). The synthesized evidence will be levered to reassess the materiality threshold and to perform a final overall evaluation of the recursive risk assessment process. Such evaluation will 73

See Chapter Six for related discussion on the nature of such reasonableness assessments.

– 62 –

involve the audit team’s consideration of audit objectives and associated significant risks, risk assessments that prompted changes to the audit strategy and planned procedures, the nature and extent of responsive procedures and resulting findings and conclusions, material weaknesses or significant deficiencies identified in internal controls and related responses, identified audit differences and whether they were corrected by management, and so on. Finally, the auditor will communicate with management and corporate governors on, among other things, any identified material control weaknesses, significant control deficiencies, and identified significant misstatements and whether they have been corrected by the entity.

– 63 –

Chapter Nine

Concluding Remarks

In this monograph, we provide a conceptual discussion of how audit objectives have evolved in response to changing business conditions and societal accountabilities, and how auditors have and likely will adapt their methods to achieve these evolving objectives. We also present concepts that we believe to be germane to delivering high-quality audits and illustratively discuss how these concepts are implemented within KPMG’s Global Audit Methodology. Our discussion of concepts germane to audit quality emphasize the benefits of engaging in recursive evidence-driven, belief-based risk assessment. Also, we explain how, guided by professional judgment, auditors’ reasoned evidentiary triangulation facilitates attainment of audit objectives. We note that auditors who engage in triangulation obtain and lever evidence of and from three fundamental sources— entity business states (EBS), management information intermediaries (MII), and management business representations (MBR). We contend that auditors’ risk assessments and beliefs generally will be more justifiable when auditors engage in triangulation than when they do not. We further note that a main tenet of triangulation is that enhanced justifiability of beliefs arises because evidence from one fundamental source complements, instead of compensates for, evidence of and from other fundamental sources. Auditors who judiciously apply triangulation think through how evidence from one fundamental source simultaneously provides new information and answers or raises questions about the credibility of evidence from other fundamental sources. These dual benefits of triangulation enhance the overall persuasiveness of evidential support that auditors use to revise beliefs and, thus, belief justifiability. We observe that the persuasiveness of evidence used to form and revise beliefs and derivative risk assessments recently has become more critical to auditors because society has heightened the extent to which it holds auditors responsible for detecting material financial statement fraud. There are at least two markers of heightened evidence persuasiveness. One marker is the extent to which auditors inform their beliefs and risk assessments about MBR by acquiring and assimilating evidence of and from audited organizations’ MII (including their internal control over financial reporting).

– 65 –

Another marker is the extent to which auditors acquire and assimilate evidence about audited organizations’ EBS, including their business models, operating performance, and business risks. While evidence from all three of these fundamental sources is germane to audit objectives, including assessing RMW and components of AUR (RMM and DR), we also have observed that key properties of evidence may differ across these sources. Relative to evidence from other fundamental sources, as an example, certain EBSbased evidence normally is less susceptible to management distortion and so it can uniquely help auditors to learn about the veracity of evidence of and from MII and MBR. Absent sufficient such EBS-based evidence, auditors may have limited ability to discriminate between alternative causes of high internal consistency in the pictures (i.e., mental models) that emerge when considering evidence of and from MII and MBR. Strong internal consistency between MII- and MBR-based evidence could be due to a faithful portrayal of underlying business states, but it also could be due to clever deception by management. Finally, we note that auditors can further enhance the justifiability of beliefs by exercising professional skepticism (which includes having a questioning mindset). Auditors can direct questions inward, targeting the fallibility of their own judgment and decision-making processes. To manage DR in light of this fallibility, the prudent 21st century public company auditor preemptively self-criticizes his or her own or other auditors’ beliefs, asking why it is that those beliefs make the most sense as well as about the degree to which additional evidence of and from different fundamental sources could support or rule out maintained or alternative beliefs. In this monograph, a companion to the original Bell et al. [1997] monograph and follow-up Bell et al. [2002] chapter on the strategic-systems approach to auditing, we also implicitly present numerous research questions. We hope audit scholars will perceive these questions as fruitful avenues for future research. We conclude this monograph by briefly outlining three such potential research avenues. While we have described extensions of professional skepticism, the construct itself is complex and ill defined. What is professional skepticism as a construct and what are the primary indicators of its presence or absence? In extant professional guidance, the skepticism construct sometimes is described in ways that connote neutrality: auditors presume that the financial statements are neither free of misstatement nor misstated due to fraud (see, e.g., SAS 99). Recently, however, society appears to be thinking otherwise about this construct. In addition, there are indications that the characterization of skepticism in professional guidance may be evolving from neutrality toward presumptive doubt. If that were to occur, would the primary indicators of profes-

– 66 –

sional skepticism change? What factors (do and should) heighten auditors’ skepticism? What kinds of evidence acquisition and assimilation or thinking skills help auditors to exhibit sufficient professional skepticism? What cognitive stages associated with judgment and decision-making are critical to skepticism? Another prospect for future research is the concept of well justified, as used in the context of well-justified beliefs and attendant risk assessments. What makes auditors’ beliefs and risk assessments well justified in the eyes of both auditors and others to whom they are accountable? What empirical evidence can be amassed to test specific conditions under which evidentiary triangulation provides significant improvements to justifiability? While justifiability is an established judgment and decision-making attribute in the auditing and psychology scholarly literatures, the primary determinants of justifiability remain underspecified. One perspective is that justifiability may be nothing more than an amalgamation of other determinants of the quality of judgment and decision-making (e.g., accuracy, consensus, expected financial consequences). Conversely, another perspective is that justifiability is a separate construct.74 Finally, we see understanding determinants and implications of improved auditor thinking and analytical skills as fruitful research areas. Under what conditions and to what degree would enhanced auditor mental models of audited organizations improve their ability to recognize the benefits of acquiring and assimilating triangulated evidence? Recent research indicates that industry familiarity, as one example, enables auditors to usefully form and apply their mental models to adjust their risk assessments when confronting only partially complete patterns of evidence.75 Perhaps systems thinking skills facilitate auditors’ ability to understand and respond to partial patterns of cues and other complex forms of evidence, and recent research suggests that systems thinking skills facilitate recognition of unintended consequences of new controls.76 An example of an unintended consequence is when provision of a new independent check on production quality reduces, over time, the vigilance of workers responsible for initial quality-control screening. If this consequence were to occur, anticipated benefits of the new control might not be fully realized. Our belief is that auditing educators, practitioners, regulators, and researchers have key, complementary roles to play in expanding the positive value that auditing provides to society. With each party stepping up with respect to their comparative 74

For more discussion see, e.g., Hackenbrack [1997] and Kennedy et al. [1997].

75

Hammersley [2003] is a recent example of such research.

76

Hecht [2004] defines systems thinking as the language, cognitive tool set, and perspectives that enable decision makers to form reasonably accurate and complete mental representations of complex environments. Systems thinking skills help persons better envision how flows and stocks relate over time, and how seemingly small effects can lead to large consequences (Bell, et al. [2002]).

– 67 –

advantage, the profession is more likely to innovate ahead of the curve instead of waiting until society mandates innovation. Auditors would be more likely to compete on quality and quality improvements over time, rather than primarily on cost-minimization subject to meeting compliance constraints. Seeing that better auditors develop better reputations, as can be the case in other professions, creative, driven, and cerebral students would be more likely to pursue accounting and auditing careers. If these and similar other patterns can evolve over time, society likely would ascribe increased value to financial statement audits than in prior years, more fully recognizing how audits improve social welfare by facilitating the efficient allocation of resources. Our hope is that this monograph will help stimulate educators, practitioners, and researchers into action to help ensure this “virtuous” cycle.

– 68 –

Appendix

Legend of Acronyms Key Terms Used Throughout the Monograph ACRONYM

TERM

COMMENTS

ASR

Assertions Level

Procedures may be applied to assess the risk of material weakness (RMW), risk of material misstatement (RMM) and risk of significant misstatement (ROSM) at the level of specific assertions (see, e.g., pp. 9 and 32 of this monograph and ISA 500, ¶15-18)

AUR

Audit Risk

The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated (see, e.g., p. 2 of this monograph).

CAB

Classes of Transactions and Account Balances Level

Procedures may be applied to assess the risk of material weakness (RMW), risk of material misstatement (RMM) and risk of significant misstatement (ROSM) at the classes of transactions and account balances level (see, e.g., pp. 25 and 32 of this monograph and ISA 200 Appendix, ¶28).

CR

Control Risk

The risk that a misstatement that could occur in an assertion and that could be material, individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity’s internal controls (see, e.g., p. 2 of this monograph).

DR

Detection Risk

The risk that the auditor will not detect misstatements that could be material individually or when aggregated with other misstatements (see, e.g., p. 2 of this monograph).

EBS

Entity Business States

The economic actions, conditions and events pertaining to the entity, other business organizations, and other elements in its environment, that are relevant to auditors’ assessments of RMW, RMM, and DR, including, for example, current and expected future economic and industry conditions, the entity’s business strategy, and its performance in core business processes. Selected EBS are transformed into management business representations (MBR) via management information intermediaries (MII). Audit evidence is evidence of and from three fundamental sources: EBS, MII, and MBR (see, e.g., pp. 3 through 5 of this monograph).

– 69 –

ACRONYM

TERM

COMMENTS

FST

Financial Statement Level

Procedures may be applied to assess the risk of material weakness (RMW), risk of material misstatement (RMM) and risk of significant misstatement (ROSM) at the financial statement level (see, e.g., pp. 25 and 32 of this monograph and ISA 200 Appendix, ¶27).

IR

Inherent Risk

The susceptibility of an assertion to a misstatement, that could be material, individually or when aggregated with other misstatements, assuming that there were no related internal controls (see, e.g., p. 2 of this monograph).

MBR

Management Business Representations

MBR are management representations of selected EBS within, for example, accounting journals or ledgers, general purpose financial statements (including footnotes), and in other forms of communication such as MD&A, press releases, and conference calls with analysts. Selected EBS are transformed into management business representations (MBR) via management information intermediaries (MII). Audit evidence is evidence of and from three fundamental sources: EBS, MII, and MBR (see, e.g., pp. 3 through 5 of this monograph).

MII

Management Information Intermediaries

MII are all of the mechanisms and processes that management uses to transform selected EBS into MBR. Examples of MII include people, policies, applicable financial reporting and internal control frameworks, computer networks, software programs and documentation (e.g., invoices), as well as internal control over financial reporting (including oversight by corporate governors). Selected EBS are transformed into management business representations (MBR) via management information intermediaries (MII). Audit evidence is evidence of and from three fundamental sources: EBS, MII, and MBR (see, e.g., pp. 3 through 5 of this monograph).

RMM

Risk of Material Misstatement

The risk that the financial statements are materially misstated prior to the audit. The authoritative guidance decomposes RMM into two components: inherent risk and control risk (see, e.g., p. 2 of this monograph).

RMW

Risk of Material Weakness

A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected. (see, e.g., p. 3, footnote 6 of this monograph and AS2).

ROSM

Risk of Significant Misstatement at the Assertion Level

The risk that an assertion relating to a significant account (class of transactions or account balance) or disclosure could be materially misstated due to error. The risk of significant misstatement is assessed for audit objectives by considering separate assessments of inherent risk and control risk. The assessed level of risk of significant misstatement determines the nature, timing and extent of substantive procedures (see, e.g., p. 42 of this monograph).

– 70 –

The 21st Century Public Company Audit Conceptual Elements of KPMG’s Global Audit Methodology

References

A

– 71 –

References

American Institute of Certified Public Accountants (AICPA). 2004. Codification of Auditing Standards (Including AICPA and PCAOB Auditing and Attestation Standards). New York. --------. 2002. Statement on Auditing Standard No. 99: Consideration of Fraud in a Financial Statement Audit. New York. --------. 1997. Statement on Auditing Standard No. 82: Consideration of Fraud in a Financial Statement Audit. New York. --------. 1988. Statement on Auditing Standard No. 53: The Auditor’s Responsibility to Detect and Report Errors and Irregularities. New York. --------. 1983. Statement on Auditing Standard No. 47: Audit Risk and Materiality in Conducting an Audit. New York. --------. 1981. Statement on Auditing Standard No. 39: Audit Sampling. New York. --------. 1977. Statement on Auditing Standard No. 16: The Independent Auditor’s Responsibility for the Detection of Errors or Irregularities. New York. --------. 1972. Statement on Auditing Procedure No. 54: The Auditor’s Study and Evaluation of Internal Control. New York. Arkes, H. R. and K. R. Hammond. 1986. Judgment and Decision Making: An Interdisciplinary Reader. Cambridge University Press. Ashton, R. H., D. Kleinmuntz, J. Sullivan, L. Tomassini. 1989. Audit decision making. In Research Opportunities in Auditing: The Second Decade, American Accounting Association, Auditing Section. Baron, J., J. Beattie, and J. C. Hershey. 1988. Heuristics and biases in diagnostic reasoning, II: Congruence, information, and certainty. Organizational Behavior and Human Decision Processes (August): 88-110. Bell, T., F. Marrs, I. Solomon and H. Thomas. 1997. Auditing Organizations Through A Strategic-Systems Lens: The KPMG Business Measurement Process, KPMG LLP.

– 73 –

Bell, T. B., M. E. Peecher, and I. Solomon. 2002. The strategic-systems approach to auditing. In T. B. Bell and I. Solomon (Eds.) Cases in Strategic-Systems Auditing: KPMG and University of Illinois at Urbana-Champaign Business Measurement Case Development and Research Program. KPMG LLP: 3-34. Biggs, S. F., T. J. Mock, and P. R. Watkins. 1989. Analytical Review Procedures and Processes in Auditing: Research Monograph Number 14. The Canadian Certified Accountants’ Research Foundation: Vancouver, CA. Brief, R. P, (Ed). 1982. SEC in the Matter of McKesson & Robbins: Report on Investigation. New York: Garland Publishing, Inc. Brown, C. E., M. E. Peecher, and I. Solomon. 1999. Auditors’ hypothesis testing in diagnostic inference tasks. Journal of Accounting Research (Spring): 1-26. Brown, R. G. 1962. Changing audit objectives and techniques. The Accounting Review(October): 696-703. Chisholm, R. M. 1989. Theory of Knowledge, 3rd Edition. Englewood Cliffs, N.J.: Prentice Hall. --------. 1982. The Foundations of Knowing. Minneapolis: University of Minnesota Press. Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004. Enterprise Risk Management-Integrated Framework. New York: AICPA. --------. 1992. Internal Control-Integrated Framework. New York: AICPA. Canadian Institute of Chartered Accountants (CICA) 1995. Criteria of Control Board Guidance on Control (CoCo). Toronto: CICA. Cushing, B. E., L. E. Graham, Jr., Z-V. Palmrose, R. S. Roussey and I. Solomon. 1995. Risk orientation. In T. B. Bell and A. M. Wright (Eds.) Auditing Practice, Research, and Education. New York: AICPA. 11-54. Cushing, B. E. and J. K. Loebbecke. 1986. Comparison of Audit Methodologies of Large Accounting Firms. Studies in Accounting Research No. 26. Sarasota, FL: American Accounting Association. --------. 1983. Analytical approaches to audit risk: A survey and analysis. Auditing: A Journal of Practice & Theory (Fall): 23-41. Domanick, J. 1989. Faking It in America: Barry Minkow and the Great ZZZZ Best Scam. Contemporary Books: Chicago.

– 74 –

Einhorn, H. J. 1980. Learning from experience and suboptimal rules in decision making. In T. Wallsten (Ed.), Cognitive Processes in Choice and Decision Behavior. Hillsdale, NJ: Lawrence Erlbaum. Elliott, R. K. 1983. Unique audit methods: Peat Marwick International. Auditing: A Journal of Practice & Theory (Spring): 1-22. Emby, C. and M. Gibbins. 1988. Good judgment in public accounting: Quality and justification. Contemporary Accounting Research (Spring): 287-313. Erickson, M., B. W. Mayhew, and W. L. Felix, Jr. 2000. Why do audits fail? Evidence from Lincoln Savings and Loan. Journal of Accounting Research (Spring): 165-194. Financial Accounting Standards Board (FASB). 2004. Exposure Draft-Proposed Statement of Financial Accounting Standards: Fair Value Measurements (Technical Director, File Reference No. 1201-100, June 23). FASB, Financial Accounting Foundation. --------. 1998. Statement of Financial Accounting Standards No. 133: Accounting for Derivative Instruments and Hedging Activities. FASB, Financial Accounting Foundation. Gibbins, M. 1984. Propositions about the psychology of professional judgment in public accounting. Journal of Accounting Research (Spring), 103-125. Gibbins, M. and A. K. Mason. 1988. Professional Judgment in Financial Reporting: A Research Study. Canadian Institute of Chartered Accountants, Toronto. Goldstein, W. M. and R. M. Hogarth. 1997. Judgment and decision research: Some historical context. In W. M. Goldstein and R. M. Hogarth (Eds.) Cambridge Series on Judgment and Decision Making: Research on Judgment and Decision Making: Currents, Connections, and Controversies. Cambridge University Press: 3-65. Hackenbrack, K. 1997. Discussion of determinants of the justifiability of performance in ill-structured audit tasks. Journal of Accounting Research (Supplement, 35): 125-130. Hammersley, J. S. 2003. Pattern Identification and Industry Specialist Auditors. Doctoral Dissertation, University of Illinois at Urbana-Champaign. Hammond, J. S., R. L. Keeney, and H. Raiffa. 1999. Smart Choices: A Practical Guide to Making Better Decisions. Boston: Harvard Business School Press. Harvey, L., M. MacDonald, and J. Hill. 2000. Theories and Methods. London: Hodder & Stoughton.

– 75 –

Healy, P. and K. Palepu. 2003. The fall of Enron. Journal of Economic Perspectives (Spring): 3-26. Hecht, G. W. 2004. Systems thinking, mental representations, and unintended consequences. Doctoral dissertation, University of Illinois at UrbanaChampaign. Hogarth, R. M. 2004. Is confidence in decisions related to feedback? Evidence—and lack of evidence—from random samples of real-world behavior. Forthcoming in K. Fielder and P. Juslin (EDs), In the Beginning There is a Sample: Information Sampling as a Key to Understanding Adaptive Cognition. Cambridge, UK: Cambridge University Press. Houghton, K. and K. Trotman. 2003. Review of KPMG Australia’s Processes and Policies in Respect of Independence, Conflict Resolution, and Quality Controls. International Auditing and Assurance Standards Board (IAASB). 2005. Handbook of International Auditing, Assurance, and Ethics Pronouncements 2005 Edition (February). ---------. 2004. Proposed International Standard on Auditing 540 (Revised): Auditing Accounting Estimates and Related Disclosures (Other than Those Involving Fair Value Measurements and Disclosures). ---------. 2003. IAASB Action Plan 2003–2004. (January): 1-13. Kaplan, R. and D. Norton. 2004. Strategy Maps: Converting Intangible Assets into Tangible Outcomes. Boston: Harvard Business School Press. ---------. 1996. The Balanced Scorecard: Translating Strategy into Action. Boston: Harvard Business School Press. Kennedy, J., D. Kleinmuntz, and M. E. Peecher. 1997. Determinants of the justifiability of performance in ill-structured audit tasks. Journal of Accounting Research (Supplement, 35): 105-123. Kinney, W. 1989. Achieved audit risk and the audit outcome space. Auditing: A Journal of Practice & Theory (Supplement, 8): 67-84. Klein, D. B. 1997. Reputation Studies in the Voluntary Elicitation of Good Conduct. University of Michigan Press: 87-133. Lendez, A. M. and J. J. Korevec. 1999. How to prevent and detect financial statement fraud. The Journal of Corporate Accounting and Finance (Autumn): 47-54.

– 76 –

Lucey, K. G., (Ed). 1996. On Knowing and the Known: Introductory Readings in Epistemology. New York: Prometheus Books. Mautz, R. K., and H. A. Sharaf. 1961. The Philosophy of Auditing. American Accounting Association: Evanston. Merriam-Webster. http://www.m-w.com (accessed January 2005). Miller, H. E. 1974. Collectivization of judgment. The Arthur Andersen Chronicle. Chicago (January): 32. Mock, T. J. and I. Vertinksy. 1985. CGA Research Monograph Number 10: Risk Assessment in Accounting and Auditing: A Research Report. The Canadian Certified General Accountants’ Research Foundation. Vancouver, British Columbia. Nice, K. 2004. How fuel gauges work. HowStuffWorks, Inc. http://auto.howstuff works.com/fuel-gauge.htm/printable (accessed January 2005). Nicolaisen, D. T. 2005. In the public interest: A conversation with the Chief Accountant of the SEC. Journal of Accountancy (January): 63-70. Oxford Online English Dictionary. http://www.oed.com/ (accessed January 2005). Panel on Audit Effectiveness, Report and Recommendations. 2000. Stamford, CT, Public Oversight Board (August). Porter, M. 1985. Competitive Advantage. New York: Free Press. ---------. 1980. Competitive Strategy. New York: Free Press. Public Company Accounting Oversight Board (PCAOB). 2004. Auditing Standard No. 1 – References in Auditors’ Reports to the Standards of the Public Company Accounting Oversight Board. --------. 2004. Auditing Standard No. 2 – An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements. --------. 2004. Auditing Standard No. 3 – Audit Documentation. Russell, B. 1948. Human Knowledge: Its Scope and Limits. Simon and Schuster, New York. Savage, L. 1954. The Foundations of Statistics. New York: John Wiley & Sons. Securities and Exchange Commission. 2003. Sarbanes-Oxley Section 704 Report.

– 77 –

Senge, P. M. 1990. The Fifth Discipline. New York: Doubleday. Shibano, T. 1990. Assessing audit risk from errors and irregularities. Journal of Accounting Research (28, Supplement): 110-140. Silvoso, J. A., H. A. Anderson, R. L. Grinaker, G. C. Mead, F. L. Neumann, W. G. Shenkir, D. E. Stone, R. H. Strawser, K. W. Stringer, A. R. Wyatt. 1973. A Statement of Basic Auditing Concepts. Studies in Accounting Research No. 6 (Sarasota, FL: American Accounting Association). Solomon, I. and M. E. Peecher. 2004. SOX 404-A billion here, a billion there. The Wall Street Journal (November 9). Manager’s Journal. Squires, S. E., C. J. Smith, L. McDougall, and W. R. Yeack. 2003. Inside Arthur Andersen: Shifting Values, Unexpected Consequences. Prentice-Hall Financial Times: NJ. Sterman, J. D. 2000. Learning in and about complex systems. System Dynamics Review. (10): 291-330. ---------. 1989. Misperceptions of feedback in dynamic decision making. Organizational Behavior and Human Decision Processes. (43): 301-335. Sullivan, J. D., R. A. Gnospelius, P. L. Defliese and H. R. Jaenicke. 1985. Montgomery’s Auditing: Tenth Edition. John Wiley & Sons, Inc.: New York. Sunstein, C. R. 2002. Are experts wrong? In Risk and Reason: Safety, Law, and the Environment. Cambridge University Press: New York. Tetlock, P. E., L. Skikta, and R. Boettger. 1989. Social and cognitive strategies for coping with accountability: Conformity, complexity, and bolstering. Journal of Personality and Social Psychology (October): 632-640. Trotman, K. 1990. Analytical Review: Audit Monograph No. 1. Australian Accounting Research Foundation. Warren, K. 2002. Competitive Strategy Dynamics. West Sussex, England: John Wiley & Sons. Yates, J. F. 1990. Judgment and Decision Making. Englewood Cliffs, New Jersey: Prentice Hall. Zimbelman, M. and W. Waller. 1999. An experimental investigation of auditor-auditee interaction under ambiguity. Journal of Accounting Research (Supplement): 135-155.

– 78 –

About the Authors

TIMOTHY B. BELL

Timothy B. Bell is director, assurance research at KPMG International’s Audit & Advisory Services Center (AASC) in Montvale, New Jersey. He earned his Ph.D. degree in business administration from Oklahoma State University in 1981 and is a certified public accountant and certified management accountant. Tim served on the executive committee of the Auditing Section of the American Accounting Association as Vice President-Academic (1997–1998), President (1998–1999), and Past President (1999–2000). In other capacities, he was the Auditing Section’s director of research (1991–1995) and a member of the editorial board for the Section’s publication, Auditing: A Journal of Practice and Theory (1989–1993). He is cofounder, executive director, and managing director-practice of the KPMG/University of Illinois (UIUC) Business Measurement Case Development and Research Program. Tim was featured and quoted in articles in The Wall Street Journal for his work on the development of new assurance services. Prior to joining KPMG LLP, Tim was a member of the accounting faculty at the University of Texas at Austin. Throughout his career, Tim has contributed to the accounting profession by authoring numerous articles published in leading scholarly journals. His writings also include contributions as coeditor of the AICPA monograph entitled Auditing Practice, Research, and Education: A Productive Collaboration (1995) and coauthor of the KPMG monographs entitled Auditing Organizations Through a Strategic-Systems Lens (1997) and Cases in Strategic-Systems Auditing (2002). Both the 1995 and 1997 monographs received The Joint AICPA/AAA Collaboration Award, which recognizes significant contributions to the auditing profession through collaborations between academics and practitioners. In 2003, the 1995 monograph received the Notable Contributions to the Auditing Literature Award from the Auditing Section of the American Accounting Association. In 2005, Tim received additional recognition from the Auditing Section: The Distinguished Service in Auditing Award and (along with Ira Solomon) the Innovation in Auditing and Assurance Education Award.

– 79 –

MARK E. PEECHER

Mark E. Peecher, C.P.A. Ph.D., is an Associate Professor and a Deloitte & Touche Teaching Fellow at the University of Illinois, Urbana-Champaign (UIUC). He holds B.S., M.A.S., and Ph.D. degrees in accountancy from UIUC. Prior to returning to his alma mater, Mark was an Assistant Professor at the University of Washington from 1994 to 1998. A highly regarded instructor, Mark teaches undergraduate and doctoral courses that focus on assurance and financial statement auditing and has chaired or served on several doctoral dissertation committees. Mark’s business-press writings on auditing have appeared in The Wall Street Journal, and his academic writings have appeared in Auditing: A Journal of Practice & Theory, International Journal of Auditing, Journal of Accounting Research, Organizational Behavior and Human Decision Processes, and The Accounting Review. Mark has spoken and presented his research at numerous conferences, consortia, and universities, and he has served on the editorial boards at Auditing: A Journal of Practice & Theory, The Accounting Review, and Issues in Accounting Education. IRA SOLOMON

Ira Solomon is the R.C. Evans Endowed Chair in Commerce and Head of the Department of Accountancy at the University of Illinois, Urbana-Champaign (UIUC). His research and teaching focus is external auditing. Ira has published over thirty articles in a variety of scholarly journals and books. Ira is a coauthor of Auditing Organi-zations Through a Strategic-Systems Lens, which received the Joint AAA/AICPA Collaboration Award. He has served as an Associate Editor of The Accounting Review and Accounting Horizons, and presently he is a member of the editorial boards of numerous journals. Previously, Ira was an Audit Research Fellow in KPMG’s Executive Office. He has served the American Accounting Association Auditing Section as Research Director, Vice President (Academic), President (1994–1995), and Past President (1995–1996). During his term as Research Director, he coedited (with A. Rashad Abdel-khalik) the monograph Research Opportunities in Auditing: The Second Decade (which was awarded the 1990 AAA/Deloitte & Touche Wildman Gold Medal). Ira directed “Project Discovery,” the undergraduate accountancy curriculum developed at the UIUC under a grant from the Accounting Education Change Commission. He also has served as Managing Director-Academic for the KPMG/UIUC Business Measurement Case Development & Research Program. Ira has been recognized on several occasions for outstanding teaching, including by the American Accounting Association as the 1997 Outstanding Auditing Educator. On three occasions the American Accounting Association Auditing Section has recognized Ira for Outstand-

– 80 –

ing Dissertation Supervision, in 1997, in 2000, and again in 2003. Lastly, Ira (along with Tim Bell) received the 2005 Innovation in Auditing and Assurance Education Award from the American Accounting Association.

– 81 –